RE: [IDS] IDS Common Criteria
From: Rob Shein (shoten@starpower.net)
Date: 01/15/03
- Previous message: Frank Knobbe: "Re: IDS Stealth Mode"
- In reply to: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Next in thread: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Reply: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rob Shein" <shoten@starpower.net> To: "'Randy Taylor'" <gnu@charm.net>, <focus-ids@securityfocus.com>, <ids@mailman.vet.com.au> Date: Wed, 15 Jan 2003 10:42:34 -0500
I think what he meant was, "Security is not the sort of process like the
Common Criteria, where you just have to go down a checklist to be good
to go." The process you describe and a process like the Common Criteria
are entirely separate types of things.
> -----Original Message-----
> From: Randy Taylor [mailto:gnu@charm.net]
> Sent: Monday, January 13, 2003 10:27 AM
> To: focus-ids@securityfocus.com; ids@mailman.vet.com.au
> Subject: RE: [IDS] IDS Common Criteria
>
>
> At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:
> >Common Criteria is for those who believe that "security is a
> process".
> >
> >Security is not a process. There is no silver bullet that
> will protect
> >you. The Common Criteria process is not a silver bullet.
>
> Security is very much a process. It has a scope that
> encompasses many concepts that are not addressed from the
> understandably narrowed focus found in vendor space. Here's
> just a few of the many issues I'm dealing with these days:
>
> - User education, awareness, and training
> - Security policy - network and physical
> - Application data flows
> - Firewall rules
> - HIDS deployment
> - NIDS deployment
> - Anti-virus deployment and management
> - Incident response
> - Router and switch hardening policies
> - Life-cycle management of all the above and then some
>
> Without a process view of a system like this, none of it
> works together the way it was intended in the initial design.
>
> Bruce Schneier speaks to the "security is a process"
> position better than I, but I did want to take a moment to
> point out some areas that many folks overlook when they talk
> about security. The broad-scope view makes it all look easy.
> It's the details that get you killed, figuratively speaking.
>
> I agree there is no single "security silver bullet". If there
> was one it certainly would not be Common Criteria. It
> wouldn't it be just "IDS", "Firewall", or "Anti-Virus",
> either. Without a process-oriented approach to security, the
> "gun" is in the hands of the enemy rather than in ours.
>
> Best regards,
>
> Randy
> -----
> "If you are going to sin, sin against God, not the bureaucracy.
> God will forgive you but the bureaucracy won't."
> --- Hyman Rickover ---
>
>
- Next message: David J. Meltzer: "RE: how to verify whether an attack attempt is successful?"
- Previous message: Frank Knobbe: "Re: IDS Stealth Mode"
- In reply to: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Next in thread: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Reply: Randy Taylor: "RE: [IDS] IDS Common Criteria"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
