Firewall Wizards mailing list archives
Re: iso 17799
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Tue, 20 Jul 2004 14:00:44 -0400
OK, I'll put my head in the noose again ... On Mon, 19 Jul 2004 15:47:49 -0400 (EDT), "Paul D. Robertson" inlined:
On Tue, 13 Jul 2004, avraham shir-el (arthur sherman) wrote:i hope i'm not opening a pandora's box here, but- i'm following this list for ~ a year now and haven't seen any mention of iso 17799. it's defined on their website as "a comprehensive set of controls comprising best practices in IS"You've likely not seen mention of ISO9000 either...i've seen lots on this list about best practices w/o any refrences to 17799.One person's best practices are another's waste of time. Best practices, by definition strive to be uniform, and I think we've all got opinions on what should be done versus what we usually do versus what everyone else is doing.
True rigid Best Practices are useless in the real world of security, I agree. That said, read on.
Take passwords- I happen think that for non-dictionary attackable and exposed interfaces, 6 of anything is a fine limit. I happen to know places that enforce the "explosion in a punctuation factory" requirements for local access- and those places are exactly the sort of places where a written password is more of a risk than a memorable one. Now, if suddenly the password that's local access only becomes used on a Web server for checking e-mail, then obviously the risk goes up. But people who do best practices don't do them in a risk-based way, they go whole hog out the gate- and that's onerous. I can likely negate 90% of the same risk with 10% of most "Best practices-" so it's really expensive to implement the other 90% of those practices- without a good risk/reward scheme or legislation, people are unlikely to go full-force on such systems. I can also implement them poorly or well- none of that seems to make them any easier.
Great, how do the rest of us learn to negate 90% of the risk? Got a paper
somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a
good repository of that type of thing? Or is every newbie supposed to post
the question to the list to extract your knowledge, say every other month?
('cause you KNOW they don't search the archives)
Every time I've read a security standard document, I've disagreed with parts of it, and thought other parts were not clear enough. Mostly though, I've be bored out of my skull dealing with the language barrier between a standard and implementing it.
Yup and several sections don't really apply and ... But DID IT HELP you get the job done/solidify an opinion? (OK, maybe you aren't a good example, would it help a newbie?) IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday. The brighter (mentally, not visually) of the crispy critters are looking for some sort of centralized help instead of 10,000 'one shot' questions on a list. Don't get me wrong, the list is useful. I've been on the/a firewalls list since GreatPlains hosted one. But now that I'm stuck between the current crop of crispy critters and the Pointy Haired Boss, something to point one or the other at would help :-). So I have my list of reference materials for the critters, I cull the tech news regularly for the PHB, do my work, and try to find time to expand my sources, oh yeah, and fit in a life. In my spare time, I dream of the magic repository that will actually off-load some of the work. I'm not sure it will, or can, ever exist but it sure would be nice. The frustration is that people on this list 'generally' solve the same problems, use lots of the same references, sites, and resources. This list is dedicated to answering specific questions about firewall implementations, a good thing. However no centralized list or repository exists to share the 'other' information required in the real world (training materials, reference materials, example risk assessments/documents, staff/food chain management issues, software, etc.). The list is good, it does its job well, too well, people want the other problems solved as well and currently they can't have it. In one man's opinion, that's one of the main reasons why we see the push for 'standards'. It's not really standards people want, so much as direction/help with the 'other' parts of their job. The learning, training, tools, samples, and other pieces that list isn't fully supplying would probably sate some of the hunger and be more real world useful than a bucket full of rigid standards. (Returns to lurk mode, hopefully withdrawing neck from noose) -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Devdas Bhagat (Jul 19)
- Re: iso 17799 George Capehart (Jul 19)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)