[LINK] FBI targets suspects' pcs with spy virus

[hartr@interweft.com.au]

On 23 Nov, Chirgwin, Richard wrote:
> As an aside to this, it surprises me that there's far less discussion of
> system-level trust in the security/privacy debate.
> 
> For example, there are plenty of situations where the easiest way to
> compromise systems is inside the boxes rather than outside (remembering that
> unauthorised access is most commonly an inside job).

Sigh - internal security (and internal security threats such as
disgruntled employees, contractors etc) is at least as big a problem as
external security threats. Unfortunately, because such problems are
frequently hushed up, there are no terribly reliable statistics on this
(or for that matter aboutr external security compromises).

When talking about internal security with customers, I always stress...

1) Technical issues are easy - people issues are difficult.

   One effect of this is that if staff are not involved in so that
   they feel they 'own' the security policy and the policy ends up
   making their lives difficult (likely), they will spend time finding
   ways to circumvent this. On one site I dealt with, this lead to a
   laptop user dialing out to their ISP connection whilst still
   connected to the internal LAN!

2) Physical security is as important as electronic security. I dealt
   with one (ASX listed) company had its servers in the open office
   area, accessible to anyone!

-- 
Robert Hart					 hartr@interweft.com.au
Strategic IT & open source consulting                +61 (0)438 385 533
Brisbane, Australia			    http://www.interweft.com.au