Erik van Straten on Nostr: npub1dzv5n…a5v2p wrote (in ...
npub1dzv5n3kypy77e83p7hxk4dvn6d4dwd9yqsw924rgplx3z0pkqupqga5v2p (npub1dzv…5v2p) wrote (in https://infosec.exchange/@evacide@hachyderm.io/113451271787551269):
❞
if you are trying to tighten up your digital security, please start with threat modeling: https://ssd.eff.org/module/your-security-plan
❝
Although her intentions are undoubtly good, this is not going to work for most people.
In fact, it may make them more vulnerable. For example, having a list with your most valuable assets adds a new risk: if that list falls into the wrong hands, attackers will know exactly what to look for (and where, if that's in the list).
The EFF page sounds like ISO 27001. In most cases such systems did and do not prevent companies from getting pwned.
Such systems are too generic; for example, every system admin knows that "turn off all unnecessary services" is pure theory, because nobody tells you which ones are unneccessary (why were they running in the first place). And you don't know which update will turn them on again, or not but make them necessary.
Even the title is misleading: "Surveillance Self-Defense" and a bit down the page: "Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests?"
What do burglars have to do with surveillance? How HUGE is your problem if your roommates/guests are NOT trustworthy? (Does an alternative of "get rid of them or move yourself" even exist?)
There are way too many question marks in said EFF page. For most people it is extremely hard and time consuming to think of ALL potential vulnerable "access points" that may exist, estimate the chance of an attack taking place plus the damage that may result, figuring out the best affordable mitigating measures, implementing them and keeping everything up to date.
IMO we must make things a lot simpler; said EFF page just scares people away.
#InfoSec #ISO27001 #EFF #PersonalSecurity #Awareness #SecurityAwareness
❞
if you are trying to tighten up your digital security, please start with threat modeling: https://ssd.eff.org/module/your-security-plan
❝
Although her intentions are undoubtly good, this is not going to work for most people.
In fact, it may make them more vulnerable. For example, having a list with your most valuable assets adds a new risk: if that list falls into the wrong hands, attackers will know exactly what to look for (and where, if that's in the list).
The EFF page sounds like ISO 27001. In most cases such systems did and do not prevent companies from getting pwned.
Such systems are too generic; for example, every system admin knows that "turn off all unnecessary services" is pure theory, because nobody tells you which ones are unneccessary (why were they running in the first place). And you don't know which update will turn them on again, or not but make them necessary.
Even the title is misleading: "Surveillance Self-Defense" and a bit down the page: "Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests?"
What do burglars have to do with surveillance? How HUGE is your problem if your roommates/guests are NOT trustworthy? (Does an alternative of "get rid of them or move yourself" even exist?)
There are way too many question marks in said EFF page. For most people it is extremely hard and time consuming to think of ALL potential vulnerable "access points" that may exist, estimate the chance of an attack taking place plus the damage that may result, figuring out the best affordable mitigating measures, implementing them and keeping everything up to date.
IMO we must make things a lot simpler; said EFF page just scares people away.
#InfoSec #ISO27001 #EFF #PersonalSecurity #Awareness #SecurityAwareness