Security Basics mailing list archives
Re: Re: Risk Analysis and Common Criteria
From: "yannick san" <yannicksan () free fr>
Date: Thu, 24 Apr 2003 16:00:45 +0200
Sorry, I didn't really finished what I should have said and thank you Mr Anders for responding. You're right, mailling security interviews in plain text could be considered as a security failure in the process of doing it. In the best security pratices, the mails should be encrypted but this requires to think about what kind of cryptographie we should use because we will have to exchange (at less) keys. Public keys or a secret one used by every engineers concerned... depends if we use symetric or assymetric cryptographie... I was not talking about sending mails over the net, but for sure that could have been interpreted like that. Here we should really think about how echanging the interviews and results. When I answered to Ness, I was thinking about doing that echanges in the "trusted" zone... Anyway, you're right, cryptographie should be applied in both case... but considering the problem of using cryptographie, I think that should be asked during a companie brefing. Just because, we're not only installing somethings for avoiding information to be send in plain text but real mecanisms are going to be installed. The mecanisms chosen will be refered in the security policy of the companie. As I'm concerned I think this problem is a full subject of study. About BS or CC... yes one will not replace the other. Yannick Information Security Engineer ----- Original Message ----- From: "Anders Reed Mohn" <anders_rm () utepils com> To: "yannick san" <yannicksan () free fr>; "security_ness" <security_ness () tiscali it> Cc: "Security Basics List (SecurityFocus)" <security-basics () securityfocus com> Sent: Thursday, April 24, 2003 12:13 PM Subject: Re: Re: Risk Analysis and Common Criteria
you have to interviews everybody in charge of what you will study later... [..] You can do that by mails.E-mails? Careful .. you don't want them confessing their security holes in plaintext all over the Net.BS7799 seems to be the futur standard used.BS7799 applies more generally to information security, doesn't it? (Haven't studied it, just heard about it) The CC are computer specific. So one should not replace the other. Cheers, Anders :)
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Risk Analysis and Common Criteria security_ness (Apr 17)
- Re: Risk Analysis and Common Criteria jkv (Apr 17)
- RE: Risk Analysis and Common Criteria dave (Apr 21)
- <Possible follow-ups>
- RE: Risk Analysis and Common Criteria Mike Heitz (Apr 21)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)
- Re: Re: Risk Analysis and Common Criteria security_ness (Apr 23)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 23)
- Re: Re: Risk Analysis and Common Criteria Anders Reed Mohn (Apr 24)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 24)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)