RE: [IDS] IDS Common Criteria

[Randy Taylor <gnu () charm net>]

I appreciate the comment, Rob, but he didn't say it that way, nor
could I infer it from his post.

He opened with the blanket comment, "Security is not a process".
Paraphrasing H.L. Mencken, the statement looks clear, simple, and
correct, but in fact it's just dead flat wrong.

While I can pretty much concur with the rest of his comments as to
what CC is and so on, his initial statement negates the rest of his
post. I wasn't picking nits. He opens with a position that denies the
existence of process and then describes a security paradigm...that is
a process by its own definition.

Hello? *knock knock* Anyone home?

I agree with you that CC and a process-oriented security approach
are different "things" in and of themselves. CC is about security, arguments
to its validity or usefulness notwithstanding, and it is a process in its
own right. A process approach to security is a model that happens
to include the CC as one subprocess out of many in the work world
I live in these days. Your CC mileage can and will vary from project to
project.

I'd like to hope most of us never have to deal with CC. The NSTISSP No. 11
policy letter makes me think more and more of us will have to deal with it,
though, as U.S. lawmakers form a coherent national network infrastructure
security policy.

That said, those that know me and have worked with me are very aware
of the healthy disregard I have for the mindless spewage that appears in
the guise of "Process" from the dimension known as "The Land of The
Pointy-Haired Clueless Managers". But that's a different type of "thing"
entirely. )->

...or something...

Randy

-----
people are too complex an organization of
molecules to be able to predict reliably.
 -- From "Zodiac" by Neal Stephenson

At 10:42 AM 1/15/2003 -0500, Rob Shein wrote:
> I think what he meant was, "Security is not the sort of process like the
> Common Criteria, where you just have to go down a checklist to be good
> to go."  The process you describe and a process like the Common Criteria
> are entirely separate types of things.
>
> > -----Original Message-----
> > From: Randy Taylor [mailto:gnu () charm net]
> > Sent: Monday, January 13, 2003 10:27 AM
> > To: focus-ids () securityfocus com; ids () mailman vet com au
> > Subject: RE: [IDS] IDS Common Criteria
> >
> >
> > At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:
> > >Common Criteria is for those who believe that "security is a
> > process".
> > >
> > >Security is not a process. There is no silver bullet that
> > will protect
> > >you. The Common Criteria process is not a silver bullet.
> >
> > Security is very much a process. It has a scope that
> > encompasses many concepts that are not addressed from the
> > understandably narrowed focus found in vendor space. Here's
> > just a few of the many issues I'm dealing with these days:
> >
> > - User education, awareness, and training
> > - Security policy - network and physical
> > - Application data flows
> > - Firewall rules
> > - HIDS deployment
> > - NIDS deployment
> > - Anti-virus deployment and management
> > - Incident response
> > - Router and switch hardening policies
> > - Life-cycle management of all the above and then some
> >
> > Without a process view of a system like this, none of it
> > works together the way it was intended in the initial design.
> >
> > Bruce Schneier speaks to the "security is a process"
> > position better than I, but I did want to take a moment to
> > point out some areas that many folks overlook when they talk
> > about security. The broad-scope view makes it all look easy.
> > It's the details that get you killed, figuratively speaking.
> >
> > I agree there is no single "security silver bullet". If there
> > was one it certainly would not be Common Criteria. It
> > wouldn't it be just "IDS", "Firewall", or "Anti-Virus",
> > either. Without a process-oriented approach to security, the
> > "gun" is in the hands of the enemy rather than in ours.
> >
> > Best regards,
> >
> > Randy
> > -----
> > "If you are going to sin, sin against God, not the bureaucracy.
> >   God will forgive you but the bureaucracy won't."
> >   --- Hyman Rickover ---
> >
> >