|
Posted by Barry Margolin on January 2, 2005, 10:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> In today's global corporate enterprise, threats of intrusion and
> compromise of software and data are obvious concerns.
>
> Something that's worth discussing is the ease with which security
> portals or GUI interfaces can be compromised. For the sake of
> argument, let's assume an insider [statistically the most likely
> intruder] manages to compromise the software that manages certain
> security parameters for your company.
>
> And let's further assume the activity is happening in the corporate
> space.
>
> It seems to me that a simple but effective mechanism for making this
> kind of scenario difficult is to graphically design a GUI that alerts
> anyone walking by that something is amiss. Yet surprisingly, many
> corporations have instituted rules that require GUI design to follow
> certain corporate branding templates.
I'm not following you. How does "corporate branding templates" conflict
with a requirement to display warnings when something is wrong?
But what I really don't understand is how you expect the GUI to produce
this alert. The premise is that the security has been compromised.
Doesn't that imply that the intruder has gotten around whatever
component is supposed to detect compromise attempts, and that's the
component that would display the alert.
>
> These kinds of bureaucratic obstacles to common sense security measures
> are often so painful to politically navigate that the entire subject is
> ignored.
>
> What I like to graphically see in a security application GUI is some
> kind of unique internal branding and color scheme that catches the
> attention of anyone passing in the hallways. Furthermore, this
> branding scheme must be well advertised as something to look for and to
> report as a suspicious activity.
Again, I don't understand you. Normal use of a security application
isn't "suspicious activity", is it?
> Additionallly, the corporation needs to occasionally and randomly
> pre-arrange that a designated employee exercise a placebo security
> application in the public workspace. Individuals reporting the
> incident should receive some kind of worthwhile reward [an extra
> holiday, cash, whatever]. The message needs to be that it is worth the
> employee's time to report observable breaches of online security.
Testing security measures certainly would be a good idea, but I think
you're aiming too high. Try just having someone walk around the
building without an ID badge, and see how long it takes for anyone to
report him. I expect that in at least 90% of companies he could wander
the halls for a day or two, poking his head into offices, and no one
would say anything.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| 
XML site map