RE: C2 security standards

From: Juan Ignacio Trentalance (TRENTALANCE@crm.com.ar)
Date: 05/24/02


From: Juan Ignacio Trentalance <TRENTALANCE@crm.com.ar>
To: "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Date: Fri, 24 May 2002 12:35:40 -0300

Thanks everybody for the responses. Some people replied personally.

The info I was sent turned out really usefull for me to terminate this C2
thing. This is what I made of it (the three most important items):

1. The whole idea of a C2 security checklist was wrong, since C2 is not
meant for that (and there are several very good articles and books on the
matter).
2. It doesn't apply to networked computers (!)
3. It doesn't take into account bugs and the possibility of exploits, since
it's happy just with "Tested security mechanisms with no obvious bypasses"

If anyone finds out any misconceptions in what I have said, please tell me.

I hope all this has been interesting to the group.