Re: Policy Free? (was RE: Penetration Tests)

[Rick Smith <rsmith () visi com>]

On Fri, Sep 26, 1997 at 02:36:49PM -0500, Capt Jim Bailey wrote:

> > I think everyone agrees that having a solid security policy is needed before
> > implementing any feasible security architecture.  My question is what does
> > this policy encompass?  My question is not directed at the technical details
> > of how to get things done, but more towards the high level that has to be
> > sold to Joe and Jane user, the management, etc.  Are you looking at writing
> > a document that states such general things like "don't use the network for
> > unofficial business"? Or do you get more specific like "all web traffic
> > will be proxied and only alowed to the following sites..."

My own humble opinion is that this is the centerpiece of really practical
security. I like to tell people that security is a three part balance:
enterprise objectives, threats, and the costs of security measures. You
balance the three and if the balance allows you to succeed as an
enterprise, then you're "secure." However, most people tend to look at
security in general and computer security in particular as a concrete
objective that defies further definition: we are "secure" if we "pass" our
penetration test. Of course, nobody passes such things perfectly, since a
good test will find the holes that don't matter as well as those that do.
And you can't tell the relevant from the irrelevant unless you know how the
holes relate to your operational objectives and the threats against them.

The bottom line is that you can't decide how to safely economize on
computer security unless you know what you're trying to achieve and how
much protection it needs.

Now that I've preached to the choir on the benefits of policy, let me
repeat a suggestion someone else once made: that security equipment should
be built so it works well despite the fact that the customer hasn't put
together a security policy. In other words, we should admit that Mom and
Pop won't pay anyone to write a policy for their Internet cafe 'n Web site
in preparation for installing the firewall. They know what a firewall costs
(it's on the price sheet) so they set aside the money and plug the sucker
in. One might argue that the firewall is simply forcing the site to adopt a
policy as a side effect of configuring it.

To some extent this is an issue of creating "mainstream" technical products
as opposed to products geared for technology buffs. The buffs will take the
time to dink with policy while most folks just want the thing to work.


Rick Smith.                        rsmith () visi com
"Internet Cryptography" in bookstores   http://www.visi.com/crypto/