Firewall Wizards mailing list archives

RE: Scare Me !!

From: "Waszak, Thomas" <Thomas.Waszak () connect xerox com>
Date: Mon, 14 Jun 1999 10:22:35 -0400

I can recommend Tom Peltier's "Information Security, Policies and
Procedures, a Practitioner's Reference" published by Auerbach.  Also look at
"Information Security Policies Made Easy" by Charles Wood, published by
Baseline Software.  I recommend the former. (It's also cheaper)
 
Cheers,
 
Thomas

-----Original Message-----
From: Copp, Carlton [mailto:Carlton.Copp () cendant com]
Sent: Monday, June 14, 1999 9:38 AM
To: 'Waszak, Thomas'; Ken Hardy; firewall-wizards () nfr net
Subject: RE: Scare Me !!



Tom, 

        4)      Your problems are not going to be solved with FUD
documentation and 
horror stories unless you get management buy-in to start some kind of info 
sec program.  Policy is your number one issue.  From there based upon your 
risk assessment prioritize what and how you proceed. 

Can you recommend some good sources of information for list members
interested in learning about the components of a security policy?
Information on this topic seems to be lacking on the Internet.  

Carlton 

        -----Original Message----- 
From:   Waszak, Thomas [SMTP:Thomas.Waszak () connect xerox com] 
Sent:   Friday, June 11, 1999 2:45 PM 
To:     Ken Hardy; firewall-wizards () nfr net 
Subject:        RE: Scare Me !! 

        Ken, 

        I feel for you.  Here's what I would do:  (Bear in mind I don't know
how far 
up the totem pole you are, what your responsibilities are, what kind of 
company, or how big or small your company is).  (if it's a large company and

you are low on the totem pole, check out Monster.com, it's unlikely you will

be able to influence anyone while you are still young) 

        1)      Figure out if this is your problem/responsibility as stated
by your 
job description.  If it is not and you are being the companies "Crusader for

Security", identify whose problem it is and start with them.  If it is not 
your responsibility and not clear whose responsibility it is, take 
ownership.  ***Danger Will Robinson Danger*** security is a potential 
political hotbed, proceed with caution.  Do not piss anyone off or they 
won't hear your message. 


        2) Conduct a internal risk assessment and work to convince
management that 
security is a serious issue (as high up the totem pole as possible).  To do 
this, put everything into a context that management can understand and care 
about.  Don't say "our servers will get shut down if we don't do something" 
or "hackers can do this by exploiting the XYZ vulnerability".  They won't 
understand or care.  Instead say "if X happens it will affect our business 
operations by Y"  Use terms like "revenue loss" , "lack of confidence", 
"inability to beat competition to the market" etc.  Make sure you do the 
homework when you make these statements though.  Be as non-technical as 
possible and be prepared to answer "So What" questions tailored to your 
audience. 

        3)  Consider bringing in an outside consultant.  ****Danger Will 
Robinson**** The issues you are trying to combat are not Network Security 
issues as much as they are Information Security issues.  In other words 
don't bring in someone who knows about firewalls to help you deal with user 
awareness and policy issues.  

        4)      Your problems are not going to be solved with FUD
documentation and 
horror stories unless you get management buy-in to start some kind of info 
sec program.  Policy is your number one issue.  From there based upon your 
risk assessment prioritize what and how you proceed. 

        Good Luck, your going to need it.  Remember that there are plenty of
other 
jobs out there. 
                -----Original Message----- 
                From:   Ken Hardy [ mailto:ken () bridge com
<mailto:ken () bridge com> ] 
                Sent:   Thursday, June 10, 1999 1:01 PM 
                To:     firewall-wizards () nfr net 
                Subject:        Scare Me !! 

                        I need to induce a healthy respect for Internet
dangers into 
                some folks around here.  I know the dangers, or enough of 
them, 
                but it's wearing to try to educate one after another exec, 
                network tech, etc. 

                        In addition to the regular sort of security
literature, a 
list 
                of real-life (or very possible) security incidents that 
could 
                help foster a healthy respect for the potential dangers 
might 
                be real useful.  An internet shop of horrors website, 
perhaps. 
                I'd appreciate anything useful in this regard. 

                        I'm trying to reach the sort of people who think
that a) we 
                have a firewall so we're safe; b) a packet filter is a 
firewall 
                (even if all ports >1024 are open!); c) desktop modems are 
                nothing to worry about; d) we *need* to support the 
                impossible-to-defend protocols of the latest whiz-bang 
internet 
                app through the firewall; e) policy?  we don't need no 
stinkin' 
                policy; f) etc., etc., etc. 

                         -- KH

Current thread:

RE: Scare Me !!, (continued)
- RE: Scare Me !! sean . kelly (Jun 14)
- Scare Me !! Ken Hardy (Jun 14)
  - Re: Scare Me !! Ken Hardy (Jun 14)
  - Re: Scare Me !! Lance Spitzner (Jun 14)
  - Re: Scare Me !! Alec Muffett (Jun 14)
    - Re: Scare Me !! Technical Incursion Countermeasures (Jun 15)
  - Re: Scare Me !! Technical Incursion Countermeasures (Jun 15)
- RE: Scare Me !! Copp, Carlton (Jun 15)
- RE: Scare Me !! Feeney, Tim (Jun 15)
  - RE: Scare Me !! Joe Pung (Jun 20)
- RE: Scare Me !! Waszak, Thomas (Jun 15)
  - Re: Scare Me !! Joseph S D Yao (Jun 16)
- Re: Scare Me !! Robert Graham (Jun 20)