Re: [fw-wiz] iso 17799
From: Paul D. Robertson (paul_at_compuwar.net)
To: Dana Nowell <DanaNowell@cornerstonesoftware.com> Date: Tue, 20 Jul 2004 14:48:18 -0400 (EDT)
On Tue, 20 Jul 2004, Dana Nowell wrote:
> OK, I'll put my head in the noose again ...
> >I can likely negate 90% of the same risk with 10% of most "Best
> >practices-" so it's really expensive to implement the other 90% of those
> >practices- without a good risk/reward scheme or legislation, people are
> >unlikely to go full-force on such systems. I can also implement them
> >poorly or well- none of that seems to make them any easier.
> Great, how do the rest of us learn to negate 90% of the risk? Got a paper
You pay me lots and lots of money and beer! ;)
> somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a
> good repository of that type of thing? Or is every newbie supposed to post
> the question to the list to extract your knowledge, say every other month?
> ('cause you KNOW they don't search the archives)
I think that some of it is FAQ material, some of it is experience and some
of it is situational. Maybe one day, I'll write my magnum opus about
practical security, but nobody will read it anyway, because it's easier to
just ask which firewall you should buy!
> >Every time I've read a security standard document, I've disagreed with
> >parts of it, and thought other parts were not clear enough. Mostly
> >though, I've be bored out of my skull dealing with the language barrier
> >between a standard and implementing it.
> Yup and several sections don't really apply and ... But DID IT HELP you
> get the job done/solidify an opinion? (OK, maybe you aren't a good
> example, would it help a newbie?)
Well, it depends on what "the job" is- if it's implement this document,
then sure! If it's reduce risk, then maybe. If it's understand what
you're implementing and why, then probably not.
> IMO, the 'push for standards' is because the field is exploding AND
> maturing and many, many, newbies are being thrown in to the fire everyday.
> The brighter (mentally, not visually) of the crispy critters are looking
> for some sort of centralized help instead of 10,000 'one shot' questions on
> a list. Don't get me wrong, the list is useful. I've been on the/a
> firewalls list since GreatPlains hosted one. But now that I'm stuck
Um, you mean GreatCircle? ;)
> between the current crop of crispy critters and the Pointy Haired Boss,
> something to point one or the other at would help :-). So I have my list
> of reference materials for the critters, I cull the tech news regularly for
> the PHB, do my work, and try to find time to expand my sources, oh yeah,
> and fit in a life. In my spare time, I dream of the magic repository that
> will actually off-load some of the work. I'm not sure it will, or can,
> ever exist but it sure would be nice.
When it becomes that easy, the systems will implement it themselves.
> The frustration is that people on this list 'generally' solve the same
> problems, use lots of the same references, sites, and resources. This list
> is dedicated to answering specific questions about firewall
> implementations, a good thing. However no centralized list or repository
> exists to share the 'other' information required in the real world
> (training materials, reference materials, example risk
> assessments/documents, staff/food chain management issues, software, etc.).
> The list is good, it does its job well, too well, people want the other
> problems solved as well and currently they can't have it.
I'd be happy to set up a repository. Either officially in conjunction
with the list, or unofficially on my own site.
> In one man's opinion, that's one of the main reasons why we see the push
> for 'standards'. It's not really standards people want, so much as
> direction/help with the 'other' parts of their job. The learning,
> training, tools, samples, and other pieces that list isn't fully supplying
> would probably sate some of the hunger and be more real world useful than a
> bucket full of rigid standards.
> (Returns to lurk mode, hopefully withdrawing neck from noose)
Personally, I think we'd be better off with training on how to think about
security at that level, and what sorts of things to watch out for. But
I'm stubborn enough to think that we can teach them to fish, even if they
do just want to do the drive-through.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list