lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: capegeo at opengroup.org (George Capehart)
Subject: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)

On Sunday 28 September 2003 03:39 pm, Curt Purdy wrote:
> When we get this far off-topic, how about putting up a new subject
> line with a was:

<Lurker crawls out from under rock>

I've followed this thread and, especially the recent exchange among 
Michael Zalewski, Frank Knobbe and Florian Weimer.  My initial response 
was to respond to specifics, like, for instance, the first paragraph 
below.  Was going to raise my hand and say:  But what about the DFS?  
As the thread grew, I realized that it is really about my pet peeve:  
The absence of a *real* information security *program* that addresses 
defense-in-depth, security architectures, etc. 
_at_the_enterprise_level_.  I have been in only *one* organization that 
actually had an enterprise security architecture and which built 
systems around it.  But that was only one of many with which I am 
familiar.

Paul Schmel's lament was that "we as a 'security community' have [not] 
even begun to tackle this problem."  I would submit that, as a 
community, we *have*. All one has to do is to look at the ISO/IEC 
standards, the ANSI standards, the NIST Special Publications, the 
Common Criteria, DITSCAP, COBIT, etc., etc., etc. the WS* standards 
coming out of the W3C and OASIS, the IATFF, etc. to see that we 
understand the problem and have documented almost ad nauseum how to 
deal with it.  The military and intelligence community have been 
practicing "good security" for years.  Even the government is beginning 
to catch on.  IMHO, the problem is *not* with the security community, 
but with the "governance community."

<rant>
The problem is that there is no accountability at the top for allowing 
systems to be run in an insecure manner.  It seems that neither Boards 
of Directors nor C-level corporate officers understand that, these 
days, a significant chunk of the risk that they need to manage arises 
out of their use of IT systems.  Either that, or there is no impetus to 
*really* manage risk at any level.  This is not rocket science.  It is 
risk management.  Risk is not being managed top-down in any structured 
manner.  It is being managed bottom up by a few individuals who care.  
Boards of directors do not ask the tough questions.  For many, 
Information Security is not on the list of things to care about at all.  
C-level officers don't care about it.  If they did, organizations would 
have robust Information Security programs, there would be clear lines 
of accountability and responsibility for the management of risk 
incurred by the operation of IT systems and the "'soft and chewy' 
problem" would be addressed.  
</rant>

My $0.02.

George Capehart

<snip>

>
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Paul
> Schmehl Sent: Sunday, September 28, 2003 12:20 PM
> To: Full Disclosure
> Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of
> Monopoly
>
>
> --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop
>
> <kdebisschop@...rt.infoplease.com> wrote:
> > Crunchy shell, soft-chewy insides?
>
> I don't think "we" as a "security community" have even begun to
> tackle this problem.  We talk about it, but who is *really* doing it?
>  For example, if you want to network machines you *have* to use
> SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. 
> Who is really looking at how to be secure while still allowing
> internal machines to talk to each other? Certainly none of the above
> protocols qualify as secure.
>
> When a machine is problematic, for whatever reason, the usual
> reaction is "block it at the firewall".  But that doesn't protect
> that machine from *other* internal machines.  It only protects it
> from the outside.  Oh, you might have a firewall that cordons off
> accounting from the rest of the enterprise, but *inside* accounting,
> you still have the "soft, chewy" problem.
>
> I haven't really seen anything that addresses this problem, and I'm
> not aware of anyone who is working on solving it.  For the most part
> security thinking is still in the middle ages - build a castle with
> moats and outer defensive rings, and staggered entrances to make it
> hard for the enemy to get it.  Once he gets in, what does current
> security thinking offer?  Not much.
>
> What we need is a paradigm shift in thinking.
>
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642		http://pgp.mit.edu
Key fingerprint:  BE7A 9A4A 6A8F 363A BAC5  4866 631B B2F6 63F0 F642

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea.  -- RFC 1925

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ