Firewall Wizards mailing list archives
Re: Re: Best Practices
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Fri, 21 May 2004 16:39:08 -0400
At 03:13 PM 5/21/2004 -0400, R. DuFresne wrote:
Dana, I feel your points have been clear and for the most part, consise. But, I also think this set of best prac. lists has been done, repeatedly, adnauseum<sp?>. The problem is not in putting together a list, or a set of them, it is in getting others to link to those lists, read and then understand and impliment these practises. Here are some of the problems I've seen with such lists and getting them out into the general knowledgebase;;
Yes, the key issue is buy in, not (he says hesitently) the content. We can have the best content in the world but with out buy in, it fails. (of course, if SOME content doesn't exist, buy in is difficult to get.)
1> expense; how many corp computer systems and let's just consiider desktops here, are shipped with too many devices and services still open to the public? How many lack a simple effective and cheap anti-virus produuct in the base offering install? Just for corporate level systems that a supplier, say dell or gateway or what-have-you, the expense of fixing the too much open and running with privledge is costly, they need to hire folks with the knowledge and skills to produce an image for these that is more seucure. some vendors like dell have taken great leaps in this, yet, still have not got it all locked down. The cost of adding another packaged product into the base offering of an decent yet cheap and intiitive <does one exist> anti-virus package is again, not cost effective. Companies with large orders might actually make headway here in the systems purchased, but the small company or home user still has an uphill battle with their own checkbooks to fight here. The rules of frugallity have set the common mindset to; don't foot the bill till the foot breaks something and the costs of repair outweight the costs of saving a few bucks prior to fallout.
2> deceminating the knowledgebase lists to those targeted. the Term firewall, is still not common enough in the languages of tech-speech for many to understand, let alone know how to seek out info on the topic. Varous best practises lists are out here on the net, Paul just helped guide folks through the first day of the techies with a clue helping the non-clued secure their new home systems. And, I'm willing to bet that after the 5th and 10th anneversaries of this date in January<?> that security wikll still be an uncommon bit of knwoeldge to the masses, and many of those masses are going to be folks in the IT field.
Maybe I wasn't clear, I excluded the home user. Hopefully the best practices could be used by someone more in tune with the home market during the book writing/security stumping they do, but that's not the initial target (for me). My target, is the guys that do that work and the guys in the trenches :-). Get our house in order, then do community service with others.
3> what lists that do exist are too technical in terminology for the average user to take in, they are too IT jargonised. Service/daemon?! port/communications channel?! firewall/port blocking, these are not common terms, and so filter into the common person's languagebase extremely slowly. Just try and define aht an anti-viruse package is to Aunt Tilly. I'm trying to explain simple e-mail terms and netiquette. Problem is, these are not techie folks, and no matter how slow I talk while walking them trough the windows on their own system in front of them, they get confused or forget what they learned five minutes before. and since I live 1500 miles from family, I can't walk or drive over to help point where to click and show a specific example from their own mailboxes. I've run into the same issues with lusers in the workplace, daily. Many in those cases do not see learning or knwoing as part of their responsibility, the pc is merely one of the tools they use to do their job, and some of the ones closer to retireing wish they had an old selectric<sp? typewriter> back on the desk. getting the info to the masses, in a format they can relate to in an easy manner is are the key areas we are stll failing in. Once someone has been in the field long enough to know the terminology or with enough of a clue to seek out the jargon file to find the definition is not the problem, it;s getting through to the manager that knows little about the technical expect how to convert a pie chart to a bar chart in excel, and to aunt tilly and uncle ben are the keys. And then getting the vendors too comply when it is not economically tempting for them to do so, creating desktop links for aunt tilly and uncle ben to learn from.
I've come to think that at some point, we need a 'knowledege level cutoff' so to speak. My initial target would be admin and security people in small thru large companies, not homes and not the 'average guy' in general, too big a curve. I think the average security/admin guy is the cutoff, it is unlikely that we can hold Aunt Tilly's attention through the required education cycle. The average security/admin should have at least heard the buzzwords and have at least a minor vested interested in the learning process. Educating Aunt Tilly is a nice long term goal, and in a perfect world I hope a best practices repository could go to that level. Unfortunately, it will probably be more like RFCs, clear enough for engineers or serious geeks but not for Joe Average Homeowner. At the moment I've set my sights lower, just the entire security and admin world, not the world as a whole :-). The admin/security guys and the educated geeks that write books for Aunt Tilly can use it to make their lives better/easier. But hey, join in, dream big, and maybe someone brighter than you or I will help us both figure it out.
Thanks, Ron DuFresne <who jusat muddled up the clear and consise thread, sorry>
It was your turn, I already did it to Paul's thread. :-). Same problem, something that was said triggered something in my brain and I mashed reply and started smashing keys. Somedays 'topic' is more of a subjective construct than other days, but that is what leads to interesting discussion sometimes. -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)