Educause Security Discussion mailing list archives

Re: SECURITY Listserv Instructions and ParticipationGuidelines

From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Mon, 8 Jul 2002 19:43:49 -0500

I'll stop after this one.  My apologies to anyone who's bored!

At 13:52 -0400 7/08/02, Randy Marchany wrote:

Agreed. However, the CIS Solaris, Linux and W2K benchmarks have been


advisories, guidelines, and recommendations are often useful.
standards, requirements, and benchmarks imply an implementation, and
in the hands of short-sighted managers or uneducated admins can be
harmful.

None of us have that much funding because of the current political mood. What
about applying benchmarks to existing IT equipment that is already installed
at the EDU? That seems more reasonable and something that should have been
done in the first place.


That depends.   If I am running a honeypot as part of my security
research, should it meet someone else's idea of a benchmark or
standard?

If I am running a bunch of Windows 95 machines because I don't have
the funds to upgrade (the plight of many smaller schools), how can I
hope to meet benchmarks that require the installation of software I
can't afford?

If I am running 3rd party scientific software that doesn't work
unless I install it as "root" on my Unix box with permissions set to
777, how do I reconcile making my project work vs. generic standards?


Don't get me wrong -- I believe that systems should be protected.   I
also believe that better care can be taken at a great many
educational institutions.

However, I also have seen the resources -- or lack of resources --
available to disadvantaged schools and community colleges.   Without
a chance in the economic issues, they cannot afford to make the kind
of changes that are needed.   I get a little upset when people start
talking about imposing standards on everyone, when it may mean
shutting down the programs at some disadvantaged and minority
institutions.   It's just one of those "hot buttons" of mine.  Sorry.

If the vendors responsible were forced to pay to clean up and secure
the mess they have created by selling such shoddy merchandise, then I
wouldn't mind nearly as much.

Hardly. We've lost millions in our budget due to cutbacks. However, we did get
the buy-in of the CFO of the University. He's convinced that doing security
now saves VT money in the long run.


He's rare.


--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.

Current thread:

Re: SECURITY Listserv Instructions and ParticipationGuidelines H. Morrow Long (Jul 03)
- <Possible follow-ups>
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Wayne Wilson (Jul 03)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Rodney Petersen (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Randy Marchany (Jul 08)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Gene Spafford (Jul 08)