Re: [fw-wiz] iso 17799

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/21/04

  • Next message: Wes Noonan: "[fw-wiz] ISA and Authentication Question..."
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 21 Jul 2004 04:42:10 +0530
    
    

    On 20/07/04 14:00 -0400, Dana Nowell wrote:
    <snip>
    > >I can likely negate 90% of the same risk with 10% of most "Best
    > >practices-" so it's really expensive to implement the other 90% of those
    > >practices- without a good risk/reward scheme or legislation, people are
    > >unlikely to go full-force on such systems. I can also implement them
    > >poorly or well- none of that seems to make them any easier.
    > >
    >
    > Great, how do the rest of us learn to negate 90% of the risk? Got a paper
    > somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a
    > good repository of that type of thing? Or is every newbie supposed to post
    > the question to the list to extract your knowledge, say every other month?
    > ('cause you KNOW they don't search the archives)
    >
    I was thinking about this topic a few hours before this mail came in.
    I think that the discussion on airgap firewalls and TCP resets in BGP
    does cover quite a bit of ground on that topic.

    IIRC, the NIST does have guidelines and checklists for such things.

    A short list of points of security concepts (which need to be understood):

    1> Security is all about limiting access.
    2> 100% control is impossible. There are always risks.
    3> The cost of implementing a security solution MUST always be less than
    the possible loss.
    4> Security is defined by a policy, which has to be set by management.
    5> Security should not be the responsibility of a single system. It must
    be pervasive through the organisation.
    6> This means that security covers things like physical security,
    network security for servers, desktops, network equipment and the
    network itself.
    7> Firewalls are supposed to separate and restrict traffic.
    8> Firewalls should be in default deny mode because their job is to
    restrict.
    9> All users should be given the least priviliges and access they need
    to do their job. Any process other than the kernel is to be treated as a
    user. This may involve not having the user connect to the network at
    all.
    10> Monitoring that your systems is an integral part of security. This is
    where an IDS and log analysis come into play.
    11> Acting on the reports of the monitoring systems is defined by the
    policy.
    12> Always remember to ask for business justification if asked to make
    any changes.
    13> Document everything.
    14> Have a backup policy handy. Disasters do happen.

    Any thing generic that I have missed out?

    <snip>
    > IMO, the 'push for standards' is because the field is exploding AND
    > maturing and many, many, newbies are being thrown in to the fire everyday.
    > The brighter (mentally, not visually) of the crispy critters are looking
    > for some sort of centralized help instead of 10,000 'one shot' questions on
    > a list. Don't get me wrong, the list is useful. I've been on the/a

    Is that the brighter ones, or the less bright ones who can't figure
    things out for themselves because they don't know how?
    I know I learnt a lot lurking on this list and reading things.

    The security-basics list at securityfocus was useful earlier.

    There are *lots* of books on security in the market today.
    "Building Internet Firewalls" is a pretty good one to start off with.

    > firewalls list since GreatPlains hosted one. But now that I'm stuck
    > between the current crop of crispy critters and the Pointy Haired Boss,
    > something to point one or the other at would help :-). So I have my list
    > of reference materials for the critters, I cull the tech news regularly for
    > the PHB, do my work, and try to find time to expand my sources, oh yeah,
    > and fit in a life. In my spare time, I dream of the magic repository that
    > will actually off-load some of the work. I'm not sure it will, or can,
    > ever exist but it sure would be nice.
    Don't we all?

    > The frustration is that people on this list 'generally' solve the same
    > problems, use lots of the same references, sites, and resources. This list
    > is dedicated to answering specific questions about firewall
    > implementations, a good thing. However no centralized list or repository
    > exists to share the 'other' information required in the real world
    > (training materials, reference materials, example risk
    > assessments/documents, staff/food chain management issues, software, etc.).
    > The list is good, it does its job well, too well, people want the other
    > problems solved as well and currently they can't have it.

    There is a list on risks out there. I have heard it is fairly good, but
    I really can't keep up with current mail either.
    Software is available, lots of choices. The knowledge to make an informed
    choice is slightly harder to get.
     
    > In one man's opinion, that's one of the main reasons why we see the push
    > for 'standards'. It's not really standards people want, so much as
    > direction/help with the 'other' parts of their job. The learning,
    > training, tools, samples, and other pieces that list isn't fully supplying
    > would probably sate some of the hunger and be more real world useful than a
    > bucket full of rigid standards.

    Agreed. Even more than the learning and training materials, the reference
    materials for the "social" part of security are what is missing. How to
    say no to a manager when (s)he is screaming at you to do something that
    you aren't confident about. Sample documentation on justifying security
    expenses.

    This sounds rather like the contents of a management course :).

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Wes Noonan: "[fw-wiz] ISA and Authentication Question..."

    Relevant Pages

    • RE: Why Easy To Use Software Is Putting You At Risk
      ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
      (Security-Basics)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
      (Full-Disclosure)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ...
      (Security-Basics)
    • More food for thought
      ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
      (comp.security.misc)
    • More food for thought
      ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
      (comp.os.ms-windows.nt.admin.security)