Re: Re: Best Practices

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 03:13 PM 5/21/2004 -0400, R. DuFresne wrote:
> Dana,
>
> I feel your points have been clear and for the most part, consise.  But, I
> also think this set of best prac. lists has been done, repeatedly,
> adnauseum<sp?>.  The problem is not in putting together a list, or a set
> of them, it is in getting others to link to those lists, read and then
> understand and impliment these practises.  Here are some of the problems
> I've seen with such lists and getting them out into the general
> knowledgebase;;

Yes, the key issue is buy in, not (he says hesitently) the content.  We can
have the best content in the world but with out buy in, it fails.  (of
course, if SOME content doesn't exist, buy in is difficult to get.)


> 1> expense;  how many corp computer systems and let's just consiider
> desktops here, are shipped with too many devices and services still open
> to the public?  How many lack a simple effective and cheap anti-virus
> produuct in the base offering install?  Just for corporate level systems
> that a supplier, say dell or gateway or what-have-you, the expense of
> fixing the too much open and running with privledge is costly, they need
> to hire folks with the knowledge and skills to produce an image for these
> that is more seucure.  some vendors like dell have taken great leaps in
> this, yet, still have not got it all locked down.  The cost of adding
> another packaged product into the base offering of an decent yet cheap and
> intiitive <does one exist> anti-virus package is again, not cost
> effective.  Companies with large orders might actually make headway here
> in the systems purchased, but the small company or home user still has an
> uphill battle with their own checkbooks to fight here.  The rules of
> frugallity have set the common mindset to;  don't foot the bill till the
> foot breaks something and the costs of repair outweight the costs of
> saving a few bucks prior to fallout.

> 2> deceminating the knowledgebase lists to those targeted.  the Term
> firewall, is still not common enough in the languages of tech-speech for
> many to understand, let alone know how to seek out info on the topic.
> Varous best practises lists are out here on the net, Paul just helped
> guide folks through the first day of the techies with a clue helping the
> non-clued secure their new home systems.  And, I'm willing to bet that
> after the 5th and 10th anneversaries of this date in January<?> that
> security wikll still be an uncommon  bit of knwoeldge to the masses, and
> many of those masses are going to be folks in the IT field.

Maybe I wasn't clear, I excluded the home user.  Hopefully the best
practices could be used by someone more in tune with the home market during
the book writing/security stumping they do, but that's not the initial
target (for me).  My target, is the guys that do that work and the guys in
the trenches :-).  Get our house in order, then do community service with
others.

> 3>  what lists that do exist are too technical in terminology for the
> average user to take in, they are too IT jargonised.  Service/daemon?!
> port/communications channel?!  firewall/port blocking, these are not
> common terms, and so filter into the common person's languagebase
> extremely slowly.  Just try and define aht an anti-viruse package is to
> Aunt Tilly.  I'm trying to explain simple e-mail terms and netiquette.
> Problem is, these are not techie folks, and no matter how slow I talk
> while walking them trough the windows on their own system in front of
> them, they get confused or forget what they learned five minutes before.
> and since I live 1500 miles from family, I can't walk or drive over to
> help point where to click and show a specific example from their own
> mailboxes.  I've run into the same issues with lusers in the workplace,
> daily.  Many in those cases do not see learning or knwoing as part of
> their responsibility, the pc is merely one of the tools they use to do
> their job, and some of the ones closer to retireing wish they had an old
> selectric<sp?  typewriter> back on the desk.
>
> getting the info to the masses, in a format they can relate to in an easy
> manner is are the key areas we are stll failing in.  Once someone has been
> in the field long enough to know the terminology or with enough of a clue
> to seek out the jargon file to find the definition is not the problem,
> it;s getting through to the manager that knows little about the technical
> expect how to convert a pie chart to a bar chart in excel, and to aunt
> tilly and uncle ben are the keys.  And then getting the vendors too comply
> when it is not economically tempting for them to do so, creating desktop
> links for aunt tilly and uncle ben to learn from.

I've come to think that at some point, we need a 'knowledege level cutoff'
so to speak.  My initial target would be admin and security people in small
thru large companies, not homes and not the 'average guy' in general, too
big a curve.  I think the average security/admin guy is the cutoff, it is
unlikely that we can hold Aunt Tilly's attention through the required
education cycle.  The average security/admin should have at least heard the
buzzwords and have at least a minor vested interested in the learning process.

Educating Aunt Tilly is a nice long term goal, and in a perfect world I
hope a best practices repository could go to that level.  Unfortunately, it
will probably be more like RFCs, clear enough for engineers or serious
geeks but not for Joe Average Homeowner.  At the moment I've set my sights
lower, just the entire security and admin world, not the world as a whole
:-).  The admin/security guys and the educated geeks that write books for
Aunt Tilly can use it to make their lives better/easier.  But hey, join in,
dream big, and maybe someone brighter than you or I will help us both
figure it out.

> Thanks,
>
> Ron DuFresne
> <who jusat muddled up the clear and consise thread, sorry>

It was your turn, I already did it to Paul's thread. :-).  Same problem,
something that was said triggered something in my brain and I mashed reply
and started smashing keys. Somedays 'topic' is more of a subjective
construct than other days, but that is what leads to interesting discussion
sometimes.



-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards