IDS mailing list archives
RE: [IDS] IDS Common Criteria
From: Randy Taylor <gnu () charm net>
Date: Wed, 15 Jan 2003 13:09:31 -0500
I appreciate the comment, Rob, but he didn't say it that way, nor could I infer it from his post. He opened with the blanket comment, "Security is not a process". Paraphrasing H.L. Mencken, the statement looks clear, simple, and correct, but in fact it's just dead flat wrong. While I can pretty much concur with the rest of his comments as to what CC is and so on, his initial statement negates the rest of his post. I wasn't picking nits. He opens with a position that denies the existence of process and then describes a security paradigm...that is a process by its own definition. Hello? *knock knock* Anyone home? I agree with you that CC and a process-oriented security approach are different "things" in and of themselves. CC is about security, arguments to its validity or usefulness notwithstanding, and it is a process in its own right. A process approach to security is a model that happens to include the CC as one subprocess out of many in the work world I live in these days. Your CC mileage can and will vary from project to project. I'd like to hope most of us never have to deal with CC. The NSTISSP No. 11 policy letter makes me think more and more of us will have to deal with it, though, as U.S. lawmakers form a coherent national network infrastructure security policy. That said, those that know me and have worked with me are very aware of the healthy disregard I have for the mindless spewage that appears in the guise of "Process" from the dimension known as "The Land of The Pointy-Haired Clueless Managers". But that's a different type of "thing" entirely. )-> ...or something... Randy ----- people are too complex an organization of molecules to be able to predict reliably. -- From "Zodiac" by Neal Stephenson At 10:42 AM 1/15/2003 -0500, Rob Shein wrote:
I think what he meant was, "Security is not the sort of process like the Common Criteria, where you just have to go down a checklist to be good to go." The process you describe and a process like the Common Criteria are entirely separate types of things. > -----Original Message----- > From: Randy Taylor [mailto:gnu () charm net] > Sent: Monday, January 13, 2003 10:27 AM > To: focus-ids () securityfocus com; ids () mailman vet com au > Subject: RE: [IDS] IDS Common Criteria > > > At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote: > >Common Criteria is for those who believe that "security is a > process". > > > >Security is not a process. There is no silver bullet that > will protect > >you. The Common Criteria process is not a silver bullet. > > Security is very much a process. It has a scope that > encompasses many concepts that are not addressed from the > understandably narrowed focus found in vendor space. Here's > just a few of the many issues I'm dealing with these days: > > - User education, awareness, and training > - Security policy - network and physical > - Application data flows > - Firewall rules > - HIDS deployment > - NIDS deployment > - Anti-virus deployment and management > - Incident response > - Router and switch hardening policies > - Life-cycle management of all the above and then some > > Without a process view of a system like this, none of it > works together the way it was intended in the initial design. > > Bruce Schneier speaks to the "security is a process" > position better than I, but I did want to take a moment to > point out some areas that many folks overlook when they talk > about security. The broad-scope view makes it all look easy. > It's the details that get you killed, figuratively speaking. > > I agree there is no single "security silver bullet". If there > was one it certainly would not be Common Criteria. It > wouldn't it be just "IDS", "Firewall", or "Anti-Virus", > either. Without a process-oriented approach to security, the > "gun" is in the hands of the enemy rather than in ours. > > Best regards, > > Randy > ----- > "If you are going to sin, sin against God, not the bureaucracy. > God will forgive you but the bureaucracy won't." > --- Hyman Rickover --- > >
Current thread:
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 12)
- <Possible follow-ups>
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 15)
- RE: [IDS] IDS Common Criteria Rob Shein (Jan 19)
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 16)
- RE: [IDS] IDS Common Criteria Rob Shein (Jan 19)
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 17)
- RE: [IDS] IDS Common Criteria Parnelli Vondel (Jan 20)
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 21)
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 23)