[4001] in WWW Security List Archive
Re: OS/390 and WWW
daemon@ATHENA.MIT.EDU (Dan Geer)
Thu Jan 16 16:33:47 1997
To: Arjan Vos <arjan@pino.demon.nl>, Shin Katsumata <skat@flask.com>
cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Wed, 15 Jan 1997 23:45:21 +0100."
<Pine.LNX.3.95.970115233713.416A-100000@pino.demon.nl>
Date: Thu, 16 Jan 1997 10:42:14 -0500
From: Dan Geer <geer@openmarket.com>
Errors-To: owner-www-security@ns2.rutgers.edu
> Many intranets I've seen were wide open to all the company - worse
> companies are implementing intranest without knowing what they're doing.
Repeating what for me is a mantra, real security threats are
largely due to the lack of an adequate internal security
regime. Perry Mason evaluation (motive and opportunity)
is optimal for the insider and, for that matter,
Q: What is the first measure of success for an external attacker?
A: Gaining the identity of an internal person.
So, if you have a well thought internal security regime
with compartmentalization of its failure modes, you solve
much of the external attack problem as a side effect or at
least can do so at little marginal cost.
--dan
