it seems that in recent years, nay, the last decade, there has been a tendency for vulnerabilities and policy violations to be lumped together. is having an insecure password, running non-encrypted services such as telnet, or writeable directories via ftpd more of a vulnerability than a violation of policy, or of bad policy?
all of these things, while able to be potentially leveraged to compromise a system, can easily be addressed by applying best practices. wouldn't it be better to call these types of scenarios out in the policy arena?
comments, thoughts, etc.
Comments (1)
I see what you're getting at, but I suspect that the reason they're all lumped together as they are currently is because they are all being considered as vectors for attack. When considering them as vectors for attack I don't think it really matters how you seperate them into classes.
Not that I agree with that, but I think it's a frame of mind that just gets propagated along. I'm not sure that significant enough advantages would be offered by 'calling them out in the policy arena'. It might prove to much effort and paperwork for some people, and as we all know, most people get pretty addicted to the way they think.
Posted by bsonne | April 11, 2005 1:15 PM
Posted on April 11, 2005 13:15