Security Basics mailing list archives
C&A process, C&A professionals
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Thu, 25 Mar 2010 11:48:20 -0400
List, Recently there was a discussion on the Pen-Test mailing list (http://www.securityfocus.com/archive/101/509929/30/0/threaded) regarding "Script kiddies vs. real talent." Along those same lines I wonder what this list thinks about recent comments by SANS Institute founder Alan Paller about FISMA compliance and C&A professionals. "[They] rewarded ineffective behavior and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw," he said. "Fisma had created and rewarded a culture of compliance rather than security," Paller said. Federal and state governments were "radically short of money", but they were forced to spend it on reporting rather than security, he said. "Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications," he said. "It is as if we paid the compliance staff at a hospital more than the surgeons." He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. "Oversight must be focused on the effectiveness of the agencies' real time defences," he said. My thoughts: First, there is a clear financial incentive here for SANS to encourage more real time network security monitoring by the Federal government as the kinds of hands on technical skills required to perform the job are the same skills taught by SANS. However, that doesn't take anything away from the weight of the assertions made. Do you believe that Certification and Accreditation professionals are little more than technical writers that have memorized some industry jargon or does the C&A process serve a useful function in securing an organization's Information Systems? http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- C&A process, C&A professionals Stephen Mullins (Mar 26)