Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 3 Jun 2004 09:35:34 -0400 (EDT)
On Thu, 3 Jun 2004, Phil Burg wrote:
This part, IMNSHO, is a key part of your risk management policy / standard / whatever $YOUR_SITE calls it: you need to clearly define who evaluates security risks and how they do it, the intention being to arrive at a situation wherein any suitably qualified person (for some value of suitably qualified) can pick up your RM documentation and produce a very similar assessment of the risk as any other suitably qualified person would produce. And of course it needs to be auditable.
*Exactly.* Someone has to _own_ risk management. The people who don't own it should have input, but not the ability to nitpick. That means the organization must be comfortable with the person who owns it being able to assess not just the security risk, but the business risk and weigh the two. Generally, though it seemed like I rejected everything put to me, in fact, almost all of my rejections were "no, we won't just open up $foo and let you do it on $bar, but if you're willing to buy $baz and move things thusly..." Naturally, I started with "No!" because I'm always in default denial ;)
Selling this to management at $YOUR_SITE is left as an exercise to the reader...
*No!*[1] This is where we *absolutely* need to share experiences- if it worked for me, it should work for someone else. Enough of those and we can make some forward progress industry-wide. There are half a zillion things dedicated to "How do I block P2P?" We need more "How do I gain and keep responsibility?" When I left my last company, I thought they'd throw a huge party. I know I'd pissed off at least hundreds, if not thousands of my co-workers by not allowing them lots of cool, fun and potentially profitable services. I didn't make exceptions (even for me,) didn't give politically correct answers, and didn't bend one bit on my policy. I upset lots and lots of people, lots and lots of times. The sentiment I got when I said "Bet you're glad I'm leaving!" was completely the opposite of what I expected. The understood that I did my job, and my job was to protect the company. They knew that the company was going to take on more risk within a week or two- because like most large corporations, there was a lot of internal politics, and very few people will take the "more likely to be career limiting, but right" path. In the end, the people who I interacted with most for new things had gotten to realize that it was easier by far to come and ask me how they should do something new than to fight for the right to do it at all after sneaking it in. The years of fighting before that weren't fun (mostly for them- I was the undefeated NO champion of the Universe!)- but they got to where network security (and infrastructure) became a part of the "we must cover this" phase of any project. Paul [1.] There I go again! ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re:Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Certification (was Re:Vulnerability Response) Gwendolynn ferch Elydyr (Jun 04)
- RE: Certification (was Re:Vulnerability Response) Laura Taylor (Jun 14)
- RE: Certification (was Re:Vulnerability Response) Gwendolynn ferch Elydyr (Jun 14)
- RE: Certification (was Re:Vulnerability Response) Marcus J. Ranum (Jun 14)
- Re: Certification (was Re:Vulnerability Response) Crispin Cowan (Jun 14)