RE: Vulnerability Response (was: BGP TCP RST Attacks)

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 3 Jun 2004, Phil Burg wrote:

> This part, IMNSHO, is a key part of your risk management policy /
> standard / whatever $YOUR_SITE calls it:  you need to clearly
> define who evaluates security risks and how they do it, the intention
> being to arrive at a situation wherein any suitably qualified person
> (for some value of suitably qualified) can pick up your RM documentation
> and produce a very similar assessment of the risk as any other suitably
> qualified person would produce.  And of course it needs to be auditable.

*Exactly.*  Someone has to _own_ risk management.  The people who don't
own it should have input, but not the ability to nitpick.  That means the
organization must be comfortable with the person who owns it being able to
assess not just the security risk, but the business risk and weigh the
two.

Generally, though it seemed like I rejected everything put to me, in fact,
almost all of my rejections were "no, we won't just open up $foo and let
you do it on $bar, but if you're willing to buy $baz and move things
thusly..."  Naturally, I started with "No!" because I'm always in default
denial ;)

> Selling this to management at $YOUR_SITE is left as an exercise to the
> reader...

*No!*[1]  This is where we *absolutely* need to share experiences- if it
worked for me, it should work for someone else.  Enough of those and we
can make some forward progress industry-wide.

There are half a zillion things dedicated to "How do I block P2P?"  We
need more "How do I gain and keep responsibility?"

When I left my last company, I thought they'd throw a huge party.  I know
I'd pissed off at least hundreds, if not thousands of my co-workers by not
allowing them lots of cool, fun and potentially profitable services.  I
didn't make exceptions (even for me,) didn't give politically correct
answers, and didn't bend one bit on my policy.  I upset lots and lots of
people, lots and lots of times.  The sentiment I got when I said "Bet
you're glad I'm leaving!" was completely the opposite of what I expected.

The understood that I did my job, and my job was to protect the company.
They knew that the company was going to take on more risk within a week or
two- because like most large corporations, there was a lot of internal
politics, and very few people will take the "more likely to be career
limiting, but right" path.

In the end, the people who I interacted with most for new things had
gotten to realize that it was easier by far to come and ask me how they
should do something new than to fight for the right to do it at all after
sneaking it in.

The years of fighting before that weren't fun (mostly for them- I was the
undefeated NO champion of the Universe!)- but they got to where network
security (and infrastructure) became a part of the "we must cover this"
phase of any project.

Paul
[1.] There I go again!
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards