On Tue, 28 Jan 2003 10:42:05 -0000 Alex Bligh wrote:
Sean,
--On 28 January 2003 03:10 -0500 Sean Donelan <sean@donelan.com> wrote:
Are there practical answers that actually work in the real world with real users and real business needs?
1. Employ clueful staff 2. Make their operating environment (procedures etc.) best able to exploit their clue
In the general case this is a people issue. Sure there are piles of whizzbang technical solutions that address individual problems (some of which your clueful staff might even think of themselves), but in the final analysis, having people with clue architect, develop and operate your systems is far more important than anything CapEx will buy you alone.
Note it is not difficult to envisage how this attack could have been far far worse with a few code changes...
Alex Bligh
How does one find a "clueful" person to hire? Can you recognize one by their hat or badge of office? Is there a guild to which they all belong? If one wants to get a "clue", how does one find a master to join as an apprentice? I would argue that sooner or later network security must become an engineering discipline whose practitioners can design a security system that cost-effectively meets the unique needs of each client. Engineering requires that well-accepted ("best") practices be documented and adopted by all practicioners. Over time, there emerges a body of such best practices which provide a foundation upon which new technologies and practices are adopted as technical concensus emerges among the practicioners. Part of the training of an engineer involves learning the existing body of best practices. Engineering also is quantitative, which means that design incorporates measurements and calculations so that the solution is good enough to to the job required, but no more, albeit with commonly accepted margins of safety. Society requires that some kinds of engineers be licensed because they are responsible for the safety of others, such as engineers who design buildings, bridges, roads, nuclear power plants, sanitation, etc. However, some are not (yet?) required to be licensed, like engineers who design cars, trucks, buses, ships, airplanes, factory process control systems and the computer networks that monitor and control them. This is therefore a request for all of those who possess this "clue" to write down their wisdom and share it with the rest of us, so we can address what clearly is a need for discipline in the design of networks and network security, since computer networks are an infrastructure upon which people are becoming dependent, even to the point of their personal safety. - Andy