"Lucky Green" <shamrockat_private> writes: >I am becoming concerned about the apparent lack of professional competence >within even well-known segments of the security community. I hope the >incident I discovered is an isolated one, but even a single such incident is >disquieting. [...] >I find it frightening to think that somebody calling themselves a security >professional might even consider certifying a site using 40bit SSL to >protect crucial customer information. Especially a site in the financial >sector. Certifying obfuscation as security is an unacceptable level of >performance by any computer security professional. I think it's pretty common, in 1997 I heard of Ernst and Young in NZ certifying 40-bit SSL as being secure for banking use. I mentioned this in a posting to sci.crypt titled "Crypto for beancounters" and got several responses from people saying they'd had similar experiences (not necessarily with E&Y, but with Big 6 firms who did security audits). The summary of the responses was: -- Snip -- [...] - Getting a security system accepted is more likely if it's been reviewed by the company auditors, even if the people involved don't have much experience with the technology. - Even if the auditors don't have much crypto experience, they're generally very good at finding things like procedural flaws. Most real systems fail because they're not used properly, not because of technical attacks. Accountants/auditing firms are very good at finding problems like this. - Some firms may have experience in auditing crypto, but more importantly they should be able to call in outside experts to check the crypto. Requiring that the audit report include details of how the crypto was evaluated and (if external experts were used) by who would be a good idea. In summary use the auditing firm to cover security procedures, but (unless they have expertise in the area) leave assessment of the crypto software to known experts in the field and/or insist in seeing details of how the crypto was assessed. -- Snip -- It's really just an issue of being able to prove due diligence - all you need is the right people to check the "Uses encryption" box and you're OK. Whether the encryption is any good or not is largely irrelevant, at least for the purposes of the exercise, which is to pass the audit. Peter.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:22 PDT