Re: [fw-wiz] iso 17799

• Previous message: Devdas Bhagat: "Re: [fw-wiz] SMTP security server open relay question"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] iso 17799"
• Next in thread: Darren Reed: "Re: [fw-wiz] iso 17799"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 21 Jul 2004 15:20:40 -0400

On Wednesday 21 July 2004 06:13, Paul D. Robertson allegedly wrote:
> On Tue, 20 Jul 2004, Marcus J. Ranum wrote:

<snip>

> > Let me try to explain it a different way:
> > Computer security, as it's done today by most
> > practitioners, is fundamentally a con. It's a con the same way that
> > most diet foods
>
> I don't think it's that pointed. The products generally do what
> they're supposed to (unless they're new, then they generally do some
> of what they're supposed to, but not nearly enough to be complete...)
> efficient way to reduce risk.

I think you're both right. Cons happen because the victim is:

a) naive,
b) stupid, or
c) is ordered to buy the product by a PHM who just read an airplane
magazine or who just attended a "technology conference."

Products *do* mostly do what they're supposed to do . . . Problem is,
the people buying the product think/assume that the product does
*everything*. They don't know enough about the problem space, the
capability of the product and the iceberg that they only see the tip of
to know they're being conned . . . and that they only have themselves
to blame for it.

<snip>

>
> Here's the typical conversation at my last company:
>
> Supplicant: "Hey! I've got a great idea that'll save us money and
> make new business and be really cool!"
>
> Paul: "No."
>
> Supplicant's boss: "Hey! $luser's got this great idea..."
>
> Paul: "No."
>
> Whining chorus: "Whyyyyyy not?????"
>
> Paul: "It's against my security policy."
>
> $flackey: "$CEO wants to be able to IM his kids..."
>
> Paul: "No."
>
> $flackey: "But he's the CEO!"
>
> Paul: "Yes, he is. No."
>
> See, that single syllable is seen as "politically expensive," and
> rather than uttering it to folks far and wide, there's a drive to go
> buy something that makes $dangerous_thing possible, and either tells
> you when something bad happened, or tries to stop something bad from
> happening.

IMHO, it is cases like this where a Certification and Accreditation
process is handy. I *know* that DITSCAP, NIST 800-37 and NIACAP are
seen my some as being overkill, and in some cases, they are. However,
the general principle is still valid. Theoretically, the selection of
controls is driven by policy which is formulated as a result of the
risk assessment process and which reflects the organization's risk
tolerance. The policy is not the security person's policy, it is the
organization's policy. The very lite version of a C&A process could be
having $flackey sign a short document that describes the policy, the
risks it addresses, and a short statement that the undersigned
understands that those risks will be left unmanaged and that he/she
authorizes the system to be used anyway. I've been overruled many,
many times by the cowboys who just don't care . . . At least that has
let me cover myself . . . And in organizations in which the cowboy
mentality reaches all the way to the top, it's almost mandantory,
'cause stuff *will* blow up, and when it does, the lynch mob starts
looking for someone to hang . . .

<snip>

>
> I think it's just a logic flaw: We don't know what to do, so we need
> someone to tell us- if they tell us the same thing every time, it
> must be right- let's make that a standard, because if everyone else
> does it, it must be right!
>
> Only in IT is everyone else doing it a good reason for jumping off a
> cliff.

That's part of it . . . the other part of it is that it saves a lot of
work. Instead of actually taking the time to really understand what it
takes to implement a really robust Information Security and Assurance
program and then take the time to "do it right," it's much easier to
hire some consultants to come in and do a CobiT/17799/yadda, yadda
audit. Then, when something blows up, the response can be: "Well, we
were 17799 certified, so the consultants must have missed something."

Cheers,

George

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Devdas Bhagat: "Re: [fw-wiz] SMTP security server open relay question"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] iso 17799"
• Next in thread: Darren Reed: "Re: [fw-wiz] iso 17799"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]