Full Disclosure mailing list archives
Re: NASA experience
From: "Curt Purdy" <purdy () tecman com>
Date: Fri, 17 Oct 2003 17:18:01 -0500
From my experience working at NASA (moffet field as an intern one summer) was that their IT department (in my building) was good at what they did but had a pretty restrictive security policy (which is a good thing i guess). So i would rate them as excellent although too restrictive. -- Jason Freidman <jason.full-disclosure () compnski com>
Since a primary tenant of all good security policies is the principle of least privilage that baisically states that no-one should have more access than the absolute minimum necessary to do their job. Of course no-one really does this that I have seen. But a good yard-stick of your security policy and implementation is if everyone complains it is too strict. As long as you have the support of managment, this is when I feel most comfortable. It looks like NASA is doing it right, which I have always heard. Being ahead of the curve, 4 years ago they instituted a comprehenive vullnerability assessment and patching and remediation program that turned the hostile penetration rate from over 20% to less than 1% in a year. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- NASA experience Jason Freidman (Oct 17)
- Re: NASA experience Curt Purdy (Oct 17)