|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Security Policy methodologies
Ted Doty (ted
iss.net)
Mon, 05 Jan 1998 12:02:06 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Aleph One: "Re: Security Policy methodologies"
- Previous message: Ted Doty: "Re: Security Policy methodologies"
- In reply to: Aleph One: "Re: Security Policy methodologies"
- Next in thread: Larry J. Hughes Jr.: "Re: Security Policy methodologies"
- Reply: Larry J. Hughes Jr.: "Re: Security Policy methodologies"
At 10:03 AM 1/5/98 -0600, Aleph One wrote:
>Now it seems your reasoning is flawed. You ask for evidence and statistics
>of Internet attacks to help you formulate a policy but you wont accept
>anything but 100% complete and correct data when we all know that is an
>impossibility.
My reasoning may indeed be flawed. However, the original thread concerned
efforts at Hanscom Air Force Base to grow their security implementation by
direct observation of their local traffic patterns. I stand by my
assertion that there is insufficient statistical evidence to allow
organizations to specify realistic, quantifiable security policies without
a similar type of effort. They are unlikly to be able to assess their
statistical liklihood of being attacked, and certainly will not be able to
measure whether they fit or deviate from the norm (since there is no valid
norm).
>Not everyone will report incidents to CERT and obviously you cannot
>reports incidents that where not detected. There is nothing you can do to
>change those two factors. Given those it seems that Dr. Howards
>information is a complete as you will get. I do agree a section on the
>statistical validity of the data would be good.
I did not mean to belittle Dr. Howard's work, which should be read by
anyone remotely interested in this topic. However, I do think that the
conclusions were somewhat hasty, given the known weaknesses of the CERT
data set and the prevalence of other, conflicting data.
- Ted
--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East | Fax: +1 770 395 1972
Atlanta, GA 30346 USA | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
- Next message: Aleph One: "Re: Security Policy methodologies"
- Previous message: Ted Doty: "Re: Security Policy methodologies"
- In reply to: Aleph One: "Re: Security Policy methodologies"
- Next in thread: Larry J. Hughes Jr.: "Re: Security Policy methodologies"
- Reply: Larry J. Hughes Jr.: "Re: Security Policy methodologies"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:12 CDT