Re: iso 17799

[Devdas Bhagat <devdas () dvb homelinux org>]

On 20/07/04 14:00 -0400, Dana Nowell wrote:
<snip>
> > I can likely negate 90% of the same risk with 10% of most "Best
> > practices-" so it's really expensive to implement the other 90% of those
> > practices- without a good risk/reward scheme or legislation, people are
> > unlikely to go full-force on such systems.  I can also implement them
> > poorly or well- none of that seems to make them any easier.
>
> Great, how do the rest of us learn to negate 90% of the risk?  Got a paper
> somewhere?  Written up an FAQ?  Guideline?  "Best Practice"? :-)  Know of a
> good repository of that type of thing?  Or is every newbie supposed to post
> the question to the list to extract your knowledge, say every other month?
> ('cause you KNOW they don't search the archives)
I was thinking about this topic a few hours before this mail came in.
I think that the discussion on airgap firewalls and TCP resets in BGP
does cover quite a bit of ground on that topic.

IIRC, the NIST does have guidelines and checklists for such things.

A short list of points of security concepts (which need to be understood):

1> Security is all about limiting access.
2> 100% control is impossible. There are always risks.
3> The cost of implementing a security solution MUST always be less than
the possible loss.
4> Security is defined by a policy, which has to be set by management.
5> Security should not be the responsibility of a single system. It must
be pervasive through the organisation.
6> This means that security covers things like physical security,
network security for servers, desktops, network equipment and the
network itself.
7> Firewalls are supposed to separate and restrict traffic.
8> Firewalls should be in default deny mode because their job is to
restrict.
9> All users should be given the least priviliges and access they need
to do their job. Any process other than the kernel is to be treated as a
user. This may involve not having the user connect to the network at
all.
10> Monitoring that your systems is an integral part of security. This is
where an IDS and log analysis come into play.
11> Acting on the reports of the monitoring systems is defined by the
policy.
12> Always remember to ask for business justification if asked to make
any changes.
13> Document everything.
14> Have a backup policy handy. Disasters do happen.

Any thing generic that I have missed out?

<snip>
> IMO, the 'push for standards' is because the field is exploding AND
> maturing and many, many, newbies are being thrown in to the fire everyday.
> The brighter (mentally, not visually) of the crispy critters are looking
> for some sort of centralized help instead of 10,000 'one shot' questions on
> a list.  Don't get me wrong, the list is useful.  I've been on the/a

Is that the brighter ones, or the less bright ones who can't figure
things out for themselves because they don't know how?
I know I learnt a lot lurking on this list and reading things.

The security-basics list at securityfocus was useful earlier.

There are *lots* of books on security in the market today.
"Building Internet Firewalls" is a pretty good one to start off with.

> firewalls list since GreatPlains hosted one.  But now that I'm stuck
> between the current crop of crispy critters and the Pointy Haired Boss,
> something to point one or the other at would help :-).  So I have my list
> of reference materials for the critters, I cull the tech news regularly for
> the PHB, do my work, and try to find time to expand my sources, oh yeah,
> and fit in a life.  In my spare time, I dream of the magic repository that
> will actually off-load some of the work.  I'm not sure it will, or can,
> ever exist but it sure would be nice.  
Don't we all?

> The frustration is that people on this list 'generally' solve the same
> problems, use lots of the same references, sites, and resources.  This list
> is dedicated to answering specific questions about firewall
> implementations, a good thing.  However no centralized list or repository
> exists to share the 'other' information required in the real world
> (training materials, reference materials, example risk
> assessments/documents, staff/food chain management issues, software, etc.).
>  The list is good, it does its job well, too well, people want the other
> problems solved as well and currently they can't have it.

There is a list on risks out there. I have heard it is fairly good, but
I really can't keep up with current mail either. 
Software is available, lots of choices. The knowledge to make an informed
choice is slightly harder to get.
 
> In one man's opinion, that's one of the main reasons why we see the push
> for 'standards'.  It's not really standards people want, so much as
> direction/help with the 'other' parts of their job.  The learning,
> training, tools, samples, and other pieces that list isn't fully supplying
> would probably sate some of the hunger and be more real world useful than a
> bucket full of rigid standards.

Agreed. Even more than the learning and training materials, the reference
materials for the "social" part of security are what is missing. How to
say no to a manager when (s)he is screaming at you to do something that
you aren't confident about. Sample documentation on justifying security
expenses. 

This sounds rather like the contents of a management course :).

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards