IDS mailing list archives
RE: [IDS] IDS Common Criteria
From: "Rob Shein" <shoten () starpower net>
Date: Wed, 15 Jan 2003 10:42:34 -0500
I think what he meant was, "Security is not the sort of process like the Common Criteria, where you just have to go down a checklist to be good to go." The process you describe and a process like the Common Criteria are entirely separate types of things.
-----Original Message----- From: Randy Taylor [mailto:gnu () charm net] Sent: Monday, January 13, 2003 10:27 AM To: focus-ids () securityfocus com; ids () mailman vet com au Subject: RE: [IDS] IDS Common Criteria At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:Common Criteria is for those who believe that "security is aprocess".Security is not a process. There is no silver bullet thatwill protectyou. The Common Criteria process is not a silver bullet.Security is very much a process. It has a scope that encompasses many concepts that are not addressed from the understandably narrowed focus found in vendor space. Here's just a few of the many issues I'm dealing with these days: - User education, awareness, and training - Security policy - network and physical - Application data flows - Firewall rules - HIDS deployment - NIDS deployment - Anti-virus deployment and management - Incident response - Router and switch hardening policies - Life-cycle management of all the above and then some Without a process view of a system like this, none of it works together the way it was intended in the initial design. Bruce Schneier speaks to the "security is a process" position better than I, but I did want to take a moment to point out some areas that many folks overlook when they talk about security. The broad-scope view makes it all look easy. It's the details that get you killed, figuratively speaking. I agree there is no single "security silver bullet". If there was one it certainly would not be Common Criteria. It wouldn't it be just "IDS", "Firewall", or "Anti-Virus", either. Without a process-oriented approach to security, the "gun" is in the hands of the enemy rather than in ours. Best regards, Randy ----- "If you are going to sin, sin against God, not the bureaucracy. God will forgive you but the bureaucracy won't." --- Hyman Rickover ---
Current thread:
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 12)
- <Possible follow-ups>
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 15)
- RE: [IDS] IDS Common Criteria Rob Shein (Jan 19)
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 16)
- RE: [IDS] IDS Common Criteria Rob Shein (Jan 19)
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 17)
- RE: [IDS] IDS Common Criteria Parnelli Vondel (Jan 20)
- RE: [IDS] IDS Common Criteria Graham, Robert (ISS Atlanta) (Jan 21)
- RE: [IDS] IDS Common Criteria Randy Taylor (Jan 23)