Genii Weblog

More Security Does Not Make You More Secure

Fri 2 Apr 2004, 09:10 AM



by Ben Langhinrichs
There are signs in the DC subways that read
More Security Does Not Make You More Secure;
Better Management Does!
I think the company putting the ad up is Computer Associates, but the premise is an interesting one.  It is often easy to add more security, but the real challenge is to make systems more secure.  A good example in the Notes/Domino world is ECL's, which are great because they offer a warning before executing potentially malicious code, but which don't offer anything without a certain amount of training and management.  If users simply click on the extra warning and go on, they are not protected, and they most certainly will if too many ECL warnings are displayed.  It is like having sixteen locks on your door and leaving the door open because it takes too long to lock and unlock all those locks.  I know some companies have been very happy with ECL's, and they mostly seem to have very well thought out rules about how they are used and applied.  I know other companies that basically don't use them, and they generally either started out way too restrictive or never applied them in the first place.

What is your experience?  Does your company use, or misuse, ECL's?

Copyright © 2004 Genii Software Ltd.

What has been said:


137.1. Rob McDonagh (04/02/2004 07:27 AM)

Hm. The instructions for inserting links in comments are either misleading or much too complicated for my simple mind, since I screwed the pooch pretty thoroughly...


137.2. Ben Langhinrichs (04/02/2004 07:31 AM)

I did read it, although I had forgotten it. Good article.

The frequent password thing irritates me no end. I remember being in a bank and watching one of the bank managers logging in to his account. He pulled out his drawer and looked up his password, then told me the passwords must be changed every week (or maybe two weeks, I don't remember) and he can't keep track, so he writes them down and puts them in his top drawer. Great security, eh?

What is hard after travelling recently by plane, and then facing all the security in Washington, DC these days, is knowing what security is reasonable and what is just wanton excess. Are we more secure, or do we just have more security?


137.3. Ben Langhinrichs (04/02/2004 07:49 AM)

I fixed the link. I'm not sure what was wrong with the HTML, but I really like the phrase "screwed the pooch". I'll have to remember that one.


137.4. Gerco Wolfswinkel (04/05/2004 01:58 AM)

What we (or our customers) usually do, is have a fairly tight ECL that only allows certain users/servers to run/do stuff. Administrators are often part of this group, but there are also customers that have a dedicated database signer ID.

If signing databases is done consistenly (and it usually is), ECL alerts are rare. And if they happen, they trigger helpdesk calls - wich is what you'd want to happen, imho.