Firewall Wizards mailing list archives
Re: iso 17799
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Tue, 20 Jul 2004 17:41:15 -0400
At 02:48 PM 7/20/2004 -0400, Paul D. Robertson wrote:
On Tue, 20 Jul 2004, Dana Nowell wrote:OK, I'll put my head in the noose again ...Cool!I can likely negate 90% of the same risk with 10% of most "Best practices-" so it's really expensive to implement the other 90% of those practices- without a good risk/reward scheme or legislation, people are unlikely to go full-force on such systems. I can also implement them poorly or well- none of that seems to make them any easier.Great, how do the rest of us learn to negate 90% of the risk? Got a paperYou pay me lots and lots of money and beer! ;)
Hope that comment works better for you than it has for me ;) Although I HAVE collected some beer over time. I'd estimate I'm at about .01 beers per man hour :(.
somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a good repository of that type of thing? Or is every newbie supposed to post the question to the list to extract your knowledge, say every other month? ('cause you KNOW they don't search the archives)I think that some of it is FAQ material, some of it is experience and some of it is situational. Maybe one day, I'll write my magnum opus about practical security, but nobody will read it anyway, because it's easier to just ask which firewall you should buy!
Cynic. Oh wait ...
Every time I've read a security standard document, I've disagreed with parts of it, and thought other parts were not clear enough. Mostly though, I've be bored out of my skull dealing with the language barrier between a standard and implementing it.Yup and several sections don't really apply and ... But DID IT HELP you get the job done/solidify an opinion? (OK, maybe you aren't a good example, would it help a newbie?)Well, it depends on what "the job" is- if it's implement this document, then sure! If it's reduce risk, then maybe. If it's understand what you're implementing and why, then probably not.
The usual context (to me) is 'reduce the risk'. I don't really care about the document and I too suffer from ancient Greek philosophic syndrome.
IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday. The brighter (mentally, not visually) of the crispy critters are looking for some sort of centralized help instead of 10,000 'one shot' questions on a list. Don't get me wrong, the list is useful. I've been on the/a firewalls list since GreatPlains hosted one. But now that I'm stuckUm, you mean GreatCircle? ;)
Doh! I've been reading one too many accounting specs ... Yes GreatCircle
between the current crop of crispy critters and the Pointy Haired Boss, something to point one or the other at would help :-). So I have my list of reference materials for the critters, I cull the tech news regularly for the PHB, do my work, and try to find time to expand my sources, oh yeah, and fit in a life. In my spare time, I dream of the magic repository that will actually off-load some of the work. I'm not sure it will, or can, ever exist but it sure would be nice.When it becomes that easy, the systems will implement it themselves.
Well I wasn't THAT optimistic. Self training staff and self educating bosses, damn, you think BIG. :).
The frustration is that people on this list 'generally' solve the same problems, use lots of the same references, sites, and resources. This list is dedicated to answering specific questions about firewall implementations, a good thing. However no centralized list or repository exists to share the 'other' information required in the real world (training materials, reference materials, example risk assessments/documents, staff/food chain management issues, software, etc.). The list is good, it does its job well, too well, people want the other problems solved as well and currently they can't have it.I'd be happy to set up a repository. Either officially in conjunction with the list, or unofficially on my own site.
Yeah, the question then becomes, what goes there, what formats are used (if consistency is even important). Is it a collection dumping ground or is there some type of need analysis/review of content, ... You know, the whole 'what are the rules' thing gets messy. I pushed something like that awhile back on the list. I had no takers. It may be because the idea stinks or it may be because I was unclear due to several double shifts or it may be because I used the term best practices and suffered buzzword filtering.
In one man's opinion, that's one of the main reasons why we see the push for 'standards'. It's not really standards people want, so much as direction/help with the 'other' parts of their job. The learning, training, tools, samples, and other pieces that list isn't fully supplying would probably sate some of the hunger and be more real world useful than a bucket full of rigid standards. (Returns to lurk mode, hopefully withdrawing neck from noose)Personally, I think we'd be better off with training on how to think about security at that level, and what sorts of things to watch out for. But I'm stubborn enough to think that we can teach them to fish, even if they do just want to do the drive-through.
I'm all for teaching them to fish but we need to accumulate some boats :-). In small companies we do not get much of a training budget so it is pretty much senior guys/mgrs train junior guys (OTJT as usual). Of course, we have our own work to do, so any training aids/shortcuts (boats) are greatly coveted. As it is, I pick a book off my shelf, or aim them at a web site, and then schedule an hour or two in the afternoon to meet. Fortunately, we're REAL small (and pretty static in config and staff) so it is not that significant a chunk of my time/budget (small staff * 1 hour a couple times a month is still a small number). I THINK a 'rent a fleet' repository would be a good thing, if the boats aren't too leaky and the price is free. Then we (the senior guys/gals in small companies and others in the industry) could say, read ABC, QRS, and XYZ from the repository (or better yet, scan the repository for info) and we'll discuss it for a half hour this afternoon (go ahead, save me a half hour, I dare you ;-). Best case, I THINK the net as a whole benefits (assumption, small guy security improves if only because the senior staff get a couple extra hours to think about stuff). With a large contributor base (this list?) I do not think any one person/company gets overly punished (contribute as time/resources permit). Worst case, we waste some time trying something that fails (gee I've never done that before). So Paul (and others), I've got a windmill, anyone have a spare horse/lance? -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 George Capehart (Jul 19)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)