Re: [iwar] Another case of security by denial

At 08:44 PM 12/16/2003 -0800, you wrote:
>Per the message sent by Tony Bartoletti:
>
> > >Mr. Schwartau concludes that security experts must focus on the
> > >capabilities rather than the motives of potential adversaries.
>
> > An excellent point. Where the capabilities exist, SOMEONE will find a
> motive.
>
> > Motive-based risk assessment is important at the margins, but cannot trump
> > consideration of systemic vulnerability.
>
>The problem with this approach is that capabilities without intent makes
>for overprotected environments. I know that there are lots of folks
>with amazing capabilities but if I try to protect my toy store against
>Russians who might want to find out how many Tonka trucks I sell I will
>go out of business.

True, but this overlaps a bit with "consequence assessment".

Under the "someone somewhere will have a motive" doctrine, one must still
weigh cost/benefit with respect to the consequences of a successful
exploitation.

In earlier times (most threats being use of substantial physical force) one
had reason to focus upon (say) Russia as opposed to (say) Tonga. Things
like "throw weight" figured into most strategic calculations, and you had
to be a really big boy to throw anything of consequence.

Where information and cyber-modulated facilities are concerned, asymmetry
can reach extreme proportions. Precocious young virus authors wreak
N-million dollar havoc with impunity, often acting alone with limited
skills and resources. Somewhere between these misguided loners and
megalithic threat machines (big nations), there is a spectrum of variably
motivated and skilled groups.

Fortunately, that asymmetry works for you when applying mitigation. Fix
the flaw that makes you vulnerable to the kid next door, and you close THAT
vulnerability to everyone everywhere, including agents of foreign power.

> > -- "Nature always sides with the hidden flaw"
>
>Nature is pretty much probabilistic in nature - human attackers are not
>as predictable.

Individually, yes. En masse, I'm not so sure. :)

____tony____

Tony Bartoletti 925-422-3881 <azb@llnl.gov>
Information Operations and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900

------------------
http://all.net/

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/kgFolB/TM
---------------------------------------------------------------------~->

Yahoo! Groups Links

To visit your group on the web, go to:
 http://groups.yahoo.com/group/iwar/

To unsubscribe from this group, send an email to:
 iwar-unsubscribe@yahoogroups.com

Your use of Yahoo! Groups is subject to:
 http://docs.yahoo.com/info/terms/
Received on Wed Dec 17 12:10:13 2003