confidential data storage: home PCs v. company servers (was Re: TurboTax - Linux?)

Thu Feb 17 15:47:11 UTC 2005

James Ralston wrote:
> On 2005-02-14 at 09:24-06 Aleksandar Milivojevic <amilivojevic at pbl.ca> wrote:
> 
> 
>>Have in mind that braking into your desktop PC is almost zero-risk
>>thing.  There'll probably be no consequences for attacker even in
>>unlikely case that he is detected.  You do not have sufficient funds
>>to do much about it.  Your funds are barely enough to set up basic
>>defenses for that matter.
> 
> 
> I think you underestimate the strength of the defenses that can be
> prepared from some second-hand PC hardware, the Fedora Core
> distribution, and the application of a little knowledge and time.
> 
> 
>>On the other hand breaking into accounting company's computers or
>>government computers is completely different story.  They have funds
>>to hunt down the attacker.
> 
> 
> And those same funds are what make them a juicy target for attackers
> in the first place.
> 
> Script kiddies will be stopped by trivial defenses.  Intelligent and
> determined attackers aren't going to waste their time targeting Joe
> User's home PC; they're going to go after more rewarding targets.
> 
> Even when intelligent and determined attackers *do* target home PCs
> (e.g., because spammers are paying for spam zombies), for every PC
> with even moderate defenses, there are at least 100 that can be
> successfully attacked with virtually no effort.  Why climb 50 feet up
> the tree to pluck a single fruit when there's plenty of fruit that's
> just as juicy at ground level, just waiting to be picked?
> 
> 
>>Unlike you, they have funds to create secure environment.
> 
> 
> Unlike me, they have to hire employees to run and maintain that secure
> environment.
> 
> This is significant, because it's relatively well-established that
> most security breaches originate from the inside (not from external
> attackers).  Here's a recent study:
> 
>     http://www.itsecurity.com/tecsnews/feb2005/feb78.htm
> 
> Why do you trust more?  Yourself, or some random companies' hundreds
> of employees?
> 
> 
>>If I have to keep my confidential data anywhere, the last place I'd
>>like to see them stored is desktop Windows machine.
> 
> 
> In terms of network threats, I assert that a home Windows desktop
> machine, competently managed (up-to-date on security updates, running
> anti-virus software, running anti-spyware software, etc.) and used
> (using Firefox instead of IE, all accounts set up as restricted users,
> et. al.), protected by an intelligently configured Linux-based
> firewall, is a more secure location for one's confidential data than
> the fileservers of a big corporation.
> 
> Of course, with a home PC, physical access attacks (e.g., a burglar
> breaking into your house and stealing your computer) are more
> difficult to defend against, but even physical access attacks can be
> mitigated to some degree...
> 

One thing that is missed is the increased usage of telecommuting.  If 
home machines are hacked, that can allow a backdoor into the secure 
company domain.  How many people that telecommute also get company 
computers?  Many get the pleasure of using their own, home computer.

Sure the company may use VPN and encryption between work and home but 
if the home machine gets compromised, all bets are off.  More 
justification for higher security at home for telecommuters.

-- 
Robin Laing