On Tue, 07 Oct 2008, Sean Donelan wrote:
On Mon, 6 Oct 2008, Buhrmaster, Gary wrote:
The Federal Government (through its "Trusted Internet Connection" initiative) is trying to limit the number of entry points into the US Government networks. (As I recall from 4000 interconnects to around 50, where both numbers have a high percentage of politics in the error bar.)
Assuming you were on an advisory panel, what advice would you give the US Government how to protect and defend its networks and ability to maintain service?
Most government networks and services depend on private network operators at some level.
Here is my take on this, recycling something I answered in similar context earlier today. Too many companies and individuals rely far too heavily on a false and outdated concept of the definition of "minimum requirements" when it comes to security. They tend to think they need to implement the minimum requirements and all will be fine. This is evident in almost all security management material I read where the goal is to offer a "mininum" set of requirements to meet guidelines and regulatory controls. What about exceeding the minimum requirements for a change. I associate "minimum requirements" with laziness especially when it comes to security. If companies structured their business a little better, it could be more beneficial for them to speak out and capitalize on security costs instead of worrying about the ROI on implementing security technologies and practices. This whole consensus about security not "making money" is flawed and the more people stick with their confirmation and status quo biases, the more businesses will NOT dish out for security causing headaches and financial misery along the way, it's self-induced. Can't wholly blame managers, a lot has to be weighed on the organizations around the world whose wordings have been taken out of context: e.g. "Under the proposal being considered, an independent audit would ensure that their networks are secure," he explained. "This audit process would work across business sectors, and would require companies to meet a minimum standard of security competency." (http://www.net-security.org/secworld.php?id=1731) Many have taken the attitude to implement enough to meet MINIMUM standards and this seems to be enough for them. Then some wonder why systems get compromised. Concepts are taken out of context. Just because an organization makes a recommendation on what should be a "minimum", shouldn't mean companies or governments should put in solely enough to meet compliance and guidelines. Businesses and governments in this day and age should be going above and beyond to protect not only themselves, but their clients, infrastructure, investors, etc. Until then, we'll see the same, putting out *just* enough to flaunt a piece of paper: "Minimum requirements met" and nothing more. How is this security again? How is minimizing the connection points going to really stop someone from launching exploit A against a machine that hasn't been properly patched? Might stop someone from somewhere in China or so, but once an alternative entry point is found, that vulnerability is still ripe for the "hacking". =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB