RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/03/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)" 
    To: Phil Burg <Phil.Burg@colesmyer.com.au>
Date: Thu, 3 Jun 2004 09:35:34 -0400 (EDT)

    On Thu, 3 Jun 2004, Phil Burg wrote:

    > This part, IMNSHO, is a key part of your risk management policy /
    > standard / whatever $YOUR_SITE calls it: you need to clearly
    > define who evaluates security risks and how they do it, the intention
    > being to arrive at a situation wherein any suitably qualified person
    > (for some value of suitably qualified) can pick up your RM documentation
    > and produce a very similar assessment of the risk as any other suitably
    > qualified person would produce. And of course it needs to be auditable.

    *Exactly.* Someone has to _own_ risk management. The people who don't
    own it should have input, but not the ability to nitpick. That means the
    organization must be comfortable with the person who owns it being able to
    assess not just the security risk, but the business risk and weigh the
    two.

    Generally, though it seemed like I rejected everything put to me, in fact,
    almost all of my rejections were "no, we won't just open up $foo and let
    you do it on $bar, but if you're willing to buy $baz and move things
    thusly..." Naturally, I started with "No!" because I'm always in default
    denial ;)

    > Selling this to management at $YOUR_SITE is left as an exercise to the
    > reader...

    *No!*[1] This is where we *absolutely* need to share experiences- if it
    worked for me, it should work for someone else. Enough of those and we
    can make some forward progress industry-wide.

    There are half a zillion things dedicated to "How do I block P2P?" We
    need more "How do I gain and keep responsibility?"

    When I left my last company, I thought they'd throw a huge party. I know
    I'd pissed off at least hundreds, if not thousands of my co-workers by not
    allowing them lots of cool, fun and potentially profitable services. I
    didn't make exceptions (even for me,) didn't give politically correct
    answers, and didn't bend one bit on my policy. I upset lots and lots of
    people, lots and lots of times. The sentiment I got when I said "Bet
    you're glad I'm leaving!" was completely the opposite of what I expected.

    The understood that I did my job, and my job was to protect the company.
    They knew that the company was going to take on more risk within a week or
    two- because like most large corporations, there was a lot of internal
    politics, and very few people will take the "more likely to be career
    limiting, but right" path.

    In the end, the people who I interacted with most for new things had
    gotten to realize that it was easier by far to come and ask me how they
    should do something new than to fight for the right to do it at all after
    sneaking it in.

    The years of fighting before that weren't fun (mostly for them- I was the
    undefeated NO champion of the Universe!)- but they got to where network
    security (and infrastructure) became a part of the "we must cover this"
    phase of any project.

    Paul
    [1.] There I go again!
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"

    Relevant Pages

    • Re: Best way to publish/discuss flaws in PGP ?
      ... >> Suppose that I found two security risks in the latest version of PGP. ... >I would suggest you first read the License Agreement for the source code. ... found, by persons at risk, that is probably a reasonable act. ...
      (sci.crypt)
    • Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
      ... >> define who evaluates security risks and how they do it, ... >> risk as any other suitably qualified person would produce. ... the corporate risk management process. ... of risk that the corporation is willing to sustain for setting policy ...
      (Firewall-Wizards)
    • RE: Senior management really concerns about security?
      ... Create a risk register, highlight the risk and the likelihood and get ... Senior management really concerns about security? ... personnel understands the potential security risks involved. ...
      (Security-Basics)
    • [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]
      ... >>approximate my risk. ... What I'm saying is that those maps were _useful_ for finding ... survey data can be useful, and you can improve the usefulness of that data ... Paul D. Robertson "My statements in this message are personal opinions ...
      (Firewall-Wizards)
    • Re: Licencing of the proposed Win32ASM package
      ... you have in mind and you should immediately cease and desist from using ... the software that he has right to distribute in the context that you ... don't see how this is putting Paul at risk. ...
      (alt.lang.asm)