On Mon, 14 Oct 2002 Valdis.Kletnieks@vt.edu wrote: > On Tue, 15 Oct 2002 11:06:09 +1000, Benny Nasution <bnas3@STUDENT.MONASH.EDU> said: > > Security always needs to be increased to reduce threats and risks, but > > these threats and risks are the ultimate ęsource of information about > > the quality of its ability. Therefore the better the security is > > developed the less information you will get about how to improve it. > > Proper auditing and instrumentation will tell you what's being *attempted*. > > Also, note that security is a *process*, and involves making trade-offs. > For instance, my network has well over 30K hosts on it. Even if I manage to > make 99% of them totally hack-proof, I need to expect an average of 1 host > to be hacked *every day*. Yes, I could probably harden it so 99.9% were You know something. In an earlier message someone mentioned the title "security expert". I think considering what we know of security on the internet that the term "security expert" is an oxymoron. Security experts are essentially crisis managers. And every firm should have one. regards joe baptista