At 10:36 AM 4/29/98 -0400, Kevin Tyrrell wrote: [deletia] Kevin, that was an excellent post - a real "keeper". Thanks. :) >Buying insurance against "hackers" might actually make some companies less >secure. They have been certified as insurable (secure), so they can put >security on the back burner until its time for next year's checkup, then >they get whacked. But hey, they got insurance. The paragraph above succinctly describes the problem in some of the .mil and .gov domains re: the recent hacker attacks by MOD discussed here and elsewhere. The SBU (Sensitive But Unclassified) .mil/.gov in the main relies on certification and accreditation (C&A) procedures - what amounts to a minimally acceptable set of checks/standards. If the site passes the C&A, they can operate on the public Internet. This begs at least several questions that I won't touch without a really good grounding rod. ;) I think I can safely say (paraphrasing Kevin) that the prevailing management attitude is, "Hey, I passed the C&A so I can back-burner security until the next C&A cycle." And then they get whacked. Not their fault - they passed the C&A. "Insurance" in the .mil/.gov arena usually translates to "Plausible Deniability" or some other form of Vogon poetry. Best regards, Randy Taylor (speaking only for myself)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:38 PDT