Re: Government Compliance

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 16 Jun 2005, Jay D. Dyson wrote:

> --[PinePGP]--------------------------------------------------[begin]--
> On Wed, 15 Jun 2005, Dave wrote:
>
> > Ok, I have big problems with this. There are seperate and distinct
> > requirements for maintaining password complexity, performing vuln scans,
> > AND performing penetration testing. Any industry guideline or resource
> > would never allow this "definition".
>
>         It's said that the Giraffe was a Horse designed by committee.
> With that in mind, what you're seeing are security decisions made by
> committee as well.
>
>         Sadly, a lot of agencies (government, corporate and alleged
> institutions of higher learning) have the same approach.  Managerial
> politics and sales drones are more influential in policy decisions than
> the input of clued security people.  That's why we have 99% of the messes
> we see today.
>
>         As a consequence, rather than having said organizations do some
> serious legwork and construct a solution appropriate to IT requirements,
> the managerial types tend to simply buy the sizzle of a salesman and go
> with Brand X's COTS solution (sic).  Similarly, Open Source solutions and
> methodologies (most of which are far superior to COTS in most every
> respect) are eschewed because "they cannot be trusted" and "they have no
> tech support."  (Their reasons, not mine.)
>
>         The solution?  If you can find one, I'll put in a good word for
> you at the Norwegian Nobel Committee.  My successes in this area have been
> limited to picking up the pieces after things go to hell and slowly
> cultivating opportunities in which I can influence, alter, or annihilate
> said policies.  It ain't for the faint of heart.

In many cases it is even more complex.  Remember security is a process of 
applying shims and fixes to a set of protocols that were not designed with 
security in mind, in other words it is a refurbishing or remodeling of 
something already in place, rather then building from the ground up 
something new.  And when mgt of many orgs is informed that they really do 
need to build from the ground up to address properly their now 
functionally inadaquet design flaws, that they lack the infrastructure to 
accomplish many of their needs and goals they start to p00p their pants. 
And they'll sit in those p00ped pants a long long time avoiding this, as 
much as techs would with having to renumber 1500+ systems to accommodate 
NAT in their new env...

Security, while being a buzzword and ringing all sorts of alarm bells and 
clang-ons all over the place, makes folks reluctant to really push the 
resources and funds into takes to do it correctly.  Everyone has the 
attitude that it should be something that slips in under the hood, quietly 
and has no null or newly complex effects upon how things have "always" 
been done.  no one wants to face the real cost of doing things right, in 
actual funds, let alone resources and changing old habits.  Thus to 
continual GAO bad report cards of various federal agencies, let alone 
those at the state and county gov levels.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCscV5st+vzJSwZikRAkOrAJ0e/n1t84+7xYEJ45vjso3ylRc+MwCePi93
oN3Nmg5GyYmfpe4tz5qMDwo=
=iqop
-----END PGP SIGNATURE-----