Re: iso 17799

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 02:48 PM 7/20/2004 -0400, Paul D. Robertson wrote:
> On Tue, 20 Jul 2004, Dana Nowell wrote:
>
> > OK, I'll put my head in the noose again ...
>
> Cool!
>
> > > I can likely negate 90% of the same risk with 10% of most "Best
> > > practices-" so it's really expensive to implement the other 90% of those
> > > practices- without a good risk/reward scheme or legislation, people are
> > > unlikely to go full-force on such systems.  I can also implement them
> > > poorly or well- none of that seems to make them any easier.
> >
> > Great, how do the rest of us learn to negate 90% of the risk?  Got a paper
>
> You pay me lots and lots of money and beer! ;)

Hope that comment works better for you than it has for me ;)  Although I
HAVE collected some beer over time.  I'd estimate I'm at about .01 beers
per man hour :(.

> > somewhere?  Written up an FAQ?  Guideline?  "Best Practice"? :-)  Know of a
> > good repository of that type of thing?  Or is every newbie supposed to post
> > the question to the list to extract your knowledge, say every other month?
> > ('cause you KNOW they don't search the archives)
>
> I think that some of it is FAQ material, some of it is experience and some
> of it is situational.  Maybe one day, I'll write my magnum opus about
> practical security, but nobody will read it anyway, because it's easier to
> just ask which firewall you should buy!

Cynic.  Oh wait ...


> > > Every time I've read a security standard document, I've disagreed with
> > > parts of it, and thought other parts were not clear enough.  Mostly
> > > though, I've be bored out of my skull dealing with the language barrier
> > > between a standard and implementing it.
> >
> > Yup and several sections don't really apply and ...  But DID IT HELP you
> > get the job done/solidify an opinion?  (OK, maybe you aren't a good
> > example, would it help a newbie?)
>
> Well, it depends on what "the job" is- if it's implement this document,
> then sure!  If it's reduce risk, then maybe.  If it's understand what
> you're implementing and why, then probably not.

The usual context (to me) is 'reduce the risk'.  I don't really care about
the document and I too suffer from ancient Greek philosophic syndrome.


> > IMO, the 'push for standards' is because the field is exploding AND
> > maturing and many, many, newbies are being thrown in to the fire everyday.
> > The brighter (mentally, not visually) of the crispy critters are looking
> > for some sort of centralized help instead of 10,000 'one shot' questions on
> > a list.  Don't get me wrong, the list is useful.  I've been on the/a
> > firewalls list since GreatPlains hosted one.  But now that I'm stuck
>
> Um, you mean GreatCircle? ;)

Doh!  I've been reading one too many accounting specs ...  Yes GreatCircle


> > between the current crop of crispy critters and the Pointy Haired Boss,
> > something to point one or the other at would help :-).  So I have my list
> > of reference materials for the critters, I cull the tech news regularly for
> > the PHB, do my work, and try to find time to expand my sources, oh yeah,
> > and fit in a life.  In my spare time, I dream of the magic repository that
> > will actually off-load some of the work.  I'm not sure it will, or can,
> > ever exist but it sure would be nice.
>
> When it becomes that easy, the systems will implement it themselves.

Well I wasn't THAT optimistic.  Self training staff and self educating
bosses, damn, you think BIG. :).

> > The frustration is that people on this list 'generally' solve the same
> > problems, use lots of the same references, sites, and resources.  This list
> > is dedicated to answering specific questions about firewall
> > implementations, a good thing.  However no centralized list or repository
> > exists to share the 'other' information required in the real world
> > (training materials, reference materials, example risk
> > assessments/documents, staff/food chain management issues, software, etc.).
> >  The list is good, it does its job well, too well, people want the other
> > problems solved as well and currently they can't have it.
>
> I'd be happy to set up a repository.  Either officially in conjunction
> with the list, or unofficially on my own site.

Yeah, the question then becomes, what goes there, what formats are used (if
consistency is even important).  Is it a collection dumping ground or is
there some type of need analysis/review of content, ...   You know, the
whole 'what are the rules' thing gets messy.

I pushed something like that awhile back on the list.  I had no takers.  It
may be because the idea stinks or it may be because I was unclear due to
several double shifts or it may be because I used the term best practices
and suffered buzzword filtering.

> > In one man's opinion, that's one of the main reasons why we see the push
> > for 'standards'.  It's not really standards people want, so much as
> > direction/help with the 'other' parts of their job.  The learning,
> > training, tools, samples, and other pieces that list isn't fully supplying
> > would probably sate some of the hunger and be more real world useful than a
> > bucket full of rigid standards.
> >
> > (Returns to lurk mode, hopefully withdrawing neck from noose)
>
> Personally, I think we'd be better off with training on how to think about
> security at that level, and what sorts of things to watch out for.  But
> I'm stubborn enough to think that we can teach them to fish, even if they
> do just want to do the drive-through.

I'm all for teaching them to fish but we need to accumulate some boats :-).
 In small companies we do not get much of a training budget so it is pretty
much senior guys/mgrs train junior guys (OTJT as usual).  Of course, we
have our own work to do, so any training aids/shortcuts (boats) are greatly
coveted.  As it is, I pick a book off my shelf, or aim them at a web site,
and then schedule an hour or two in the afternoon to meet.  Fortunately,
we're REAL small (and pretty static in config and staff) so it is not that
significant a chunk of my time/budget (small staff * 1 hour a couple times
a month is still a small number).

I THINK a 'rent a fleet' repository would be a good thing, if the boats
aren't too leaky and the price is free.  Then we (the senior guys/gals in
small companies and others in the industry) could say, read ABC, QRS, and
XYZ from the repository (or better yet, scan the repository for info) and
we'll discuss it for a half hour this afternoon (go ahead, save me a half
hour, I dare you ;-).  Best case, I THINK the net as a whole benefits
(assumption, small guy security improves if only because the senior staff
get a couple extra hours to think about stuff). With a large contributor
base (this list?) I do not think any one person/company gets overly
punished (contribute as time/resources permit).  Worst case, we waste some
time trying something that fails (gee I've never done that before).  

So Paul (and others), I've got a windmill, anyone have a spare horse/lance?




-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards