Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

C&A process, C&A professionals

From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Thu, 25 Mar 2010 11:48:20 -0400
List,

Recently there was a discussion on the Pen-Test mailing list
(http://www.securityfocus.com/archive/101/509929/30/0/threaded)
regarding "Script kiddies vs. real talent."  Along those same lines I
wonder what this list thinks about recent comments by SANS Institute
founder Alan Paller about FISMA compliance and C&A professionals.

"[They] rewarded ineffective behavior and created a cadre of people
who call themselves security professionals but who proudly admit they
cannot implement security settings on systems and network devices or
find a programming flaw," he said.

"Fisma had created and rewarded a culture of compliance rather than
security," Paller said. Federal and state governments were "radically
short of money", but they were forced to spend it on reporting rather
than security, he said. "Writers who know how a few words about
security and federal regulations now make 50% to 80% more money than
the people who actually secure systems and networks and applications,"
he said. "It is as if we paid the compliance staff at a hospital more
than the surgeons."

He said the nation's attention should be on real-time monitoring of
its information systems and networks to prevent or mitigate attacks as
they happened. "Oversight must be focused on the effectiveness of the
agencies' real time defences," he said.

My thoughts:

First, there is a clear financial incentive here for SANS to encourage
more real time network security monitoring by the Federal government
as the kinds of hands on technical skills required to perform the job
are the same skills taught by SANS.  However, that doesn't take
anything away from the weight of the assertions made.

Do you believe that Certification and Accreditation professionals are
little more than technical writers that have memorized some industry
jargon or does the C&A process serve a useful function in securing an
organization's Information Systems?

http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: