OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rob Shein (shoten_at_starpower.net)
Date: Wed Jan 15 2003 - 09:42:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I think what he meant was, "Security is not the sort of process like the
    Common Criteria, where you just have to go down a checklist to be good
    to go." The process you describe and a process like the Common Criteria
    are entirely separate types of things.

    > -----Original Message-----
    > From: Randy Taylor [mailto:gnucharm.net]
    > Sent: Monday, January 13, 2003 10:27 AM
    > To: focus-idssecurityfocus.com; idsmailman.vet.com.au
    > Subject: RE: [IDS] IDS Common Criteria
    >
    >
    > At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:
    > >Common Criteria is for those who believe that "security is a
    > process".
    > >
    > >Security is not a process. There is no silver bullet that
    > will protect
    > >you. The Common Criteria process is not a silver bullet.
    >
    > Security is very much a process. It has a scope that
    > encompasses many concepts that are not addressed from the
    > understandably narrowed focus found in vendor space. Here's
    > just a few of the many issues I'm dealing with these days:
    >
    > - User education, awareness, and training
    > - Security policy - network and physical
    > - Application data flows
    > - Firewall rules
    > - HIDS deployment
    > - NIDS deployment
    > - Anti-virus deployment and management
    > - Incident response
    > - Router and switch hardening policies
    > - Life-cycle management of all the above and then some
    >
    > Without a process view of a system like this, none of it
    > works together the way it was intended in the initial design.
    >
    > Bruce Schneier speaks to the "security is a process"
    > position better than I, but I did want to take a moment to
    > point out some areas that many folks overlook when they talk
    > about security. The broad-scope view makes it all look easy.
    > It's the details that get you killed, figuratively speaking.
    >
    > I agree there is no single "security silver bullet". If there
    > was one it certainly would not be Common Criteria. It
    > wouldn't it be just "IDS", "Firewall", or "Anti-Virus",
    > either. Without a process-oriented approach to security, the
    > "gun" is in the hands of the enemy rather than in ours.
    >
    > Best regards,
    >
    > Randy
    > -----
    > "If you are going to sin, sin against God, not the bureaucracy.
    > God will forgive you but the bureaucracy won't."
    > --- Hyman Rickover ---
    >
    >