1998-04-29-12:59:54 Darren: > What it gets down to is that there is risk involved in "being on the > 'net". Quite a considerable risk, if you were to ask me, given that > we've heard recently about claims of people getting into classified > computers. Claims are cheap. That one hasn't ever been confirmed that I know of, since the DOD dodges it by defining any computer attached directly or indirectly to the internet as ``not classified''. This somehow is supposed to absolve them from any obligation to properly secure their sites. > If your boss walked in tomorrow and asked you how you knew your > firewall was protecting you, what would you use as evidence? I'd point to our security policy. It sketches out the threats, the liklihood of their materializing, and the severity of danger if they are, and bases configuration rules and restrictions on these threats and potential costs. The bulk of all ongoing security maintenance --- after the trivial bits like responding to crises and tracking new developments and auditing the implementation --- is constantly revising the security policy to track evolving threats and business needs. > If before you connected your site to the 'net you were required to > have a detailed report of your firewall's strength, what would you do? When I came to work for my current employer, they were already connected to the net, with a very very draconian (and hence easy to implement) policy; there were no publicly-visible servers aside from the SMTP relay, and only a select handful of protocols were permitted outbound. Since this predated applets this was super easy to implement securely, and securely is how it was implemented. Since then we've grown ghastly threasts like applets (stripped at the firewall) and we've put a public site out. I was the security architect. I worked with the designers, sketching out the security model and controls, with justifications; when the final design was ready to sell to senior management I was called in to address the security issues, which I did with a brief sketch of the model and its motivation. > Sure, there's a handful of people running around who can do this, but > what assurance do you have that you're getting the right people? The same assurance you have when getting any kind of people. If you have the expertise in house to grill the candidate, then you do; if you don't have that expertise then evaluate candidates based on how well you like them and the extent and relevance of their claimed experience, then check their references carefully. This is an old problem with an old and well-trusted solution. > Do you look for ISO qualifiactions for their reporting or CISSP exams > passed [...] I sure wouldn't, any more than I'd look for certificates when picking a systems administrator, or a programmer, or anybody else. Certificates demonstrate a desire to get certificates and a skill at getting certificates; I've never had any use for that desire and ability. > [...] or 10 years spent hacking on sendmail [...] If I were hiring a sendmail hacker this would be a good qualification; if I were hiring a security admin I'd be looking for knowlege of how to shield or eliminate sendmails. > [...] or 10 years spent breaking into .mil sites? If I were hiring someone to break into .mil sites then this would be a good criterion; if I were hiring a security admin I'd prefer someone who spent 10 years keeping people out. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:36 PDT