| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: Soft-Chewy insides > -----Original Message----- > From: George Capehart [mailto:capegeo@...ngroup.org] > Sent: Monday, September 29, 2003 6:52 AM > To: Curt Purdy; Schmehl, Paul L; 'Full Disclosure' > Subject: Re: [Full-Disclosure] Soft-Chewy insides (was: > CyberInsecurity: The cost of Monopoly) > > Paul Schmehl's lament was that "we as a 'security community' > have [not] > even begun to tackle this problem." I would submit that, as a > community, we *have*. All one has to do is to look at the ISO/IEC > standards, the ANSI standards, the NIST Special Publications, the > Common Criteria, DITSCAP, COBIT, etc., etc., etc. the WS* standards > coming out of the W3C and OASIS, the IATFF, etc. to see that we > understand the problem and have documented almost ad nauseum how to > deal with it. The military and intelligence community have been > practicing "good security" for years. Even the government is > beginning > to catch on. IMHO, the problem is *not* with the security community, > but with the "governance community." > I'm not going to disagree with this at all, however I would point out that standards are one thing, implementation entirely another. It's nice to have standards that provide guidance in security structuring, but without the tools to implement those guidelines, they're guidelines and not much more. Only in the past couple of years have we seen any really useful tools in this area, and the prices are out of reach of many organizations. (Like other things in technology, it would be nice if those prices would come down over time.) Here's just one example. How do I integrate groups in a heterogeneous environment? If I want to create a group that has certain access with certain rights, and I want that group to have access to both Unix and Windows resources, how do I do that? Right now it takes a lot of manual work (scripting, etc.) Where are the tools to make this easy? Or worse. How do I monitor who are members of those groups? How do I know which people to remove based on resignations/terminations/etc.? How do I verify that the user has been removed from both Windows and Unix groups? (Because you can't create a global group that is authoritative for both platforms - well, you sort of can using LDAP.) Furthermore, Unix and Windows don't even agree on what a group is. Or how the rights for that group should be configured. (Homogeneous environments are fairly easy in comparison but still not without their problems.) If, for example, I have a resource which I want to offer to some users at a read only level, to others at a read/write level and to a few at a full control level, how do I do that in Unix? Unix only understands u-g-a. In Windows I can "attach" as many groups to a resource as I want, each with its own level of access. And I have multiple types of access, not just read, write and execute. How do I integrate these two disparate implentations? If I want security to be granular, how do I do that when heterogeneous resources force me into a "least common denominator" scenario? That's what I'm referring to when I say "we, as a security community" have only begun to try addressing these issues. Right now, organizations pretty much have to "roll their own" - not a very efficient way of solving a universal problem. WRT your rant about C-level, I totally agree. Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists