|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: How to get better security people
In a former life as well as my current one, we had a primary Information
Security officer, and myself acting as corporate firewall engineer. I found
that my own role was best performed as a network security "conductor" of the
"orchestra" of sysadmins who actually built and operated our Internet
systems. You build a mailing list and forward interesting stuff from
CERT/CIAC/Bugtraq/etc; you try to keep everyone informed, and guide them
along the way with reasonably well-stated firewall guidelines ("I'll do
this, I won't do that" with some give-and-take, and a little heartache over
the purity of the architecture). And you get involved with the business as
much as you can to spread the network security gospel.
At some level it becomes less of a pure technical security issue, and more a
social engineering challenge. Ultimately, it's all about risk management,
and minimizing your risk by maximizing the knowledge flow and relationships
that you build within the company. I recognized that generally I knew more
about network security and IP/TCP/UDP than the people running the systems,
and at some level you only get so much system security given the knowledge
of the folks involved. So you back it up with as much of a secure network
environment as you can negotiate v.s. the needs of the business, and make
sure that the top Security dog is on the same page as you are.
Ultimately you'll have an incident in spite of your best efforts -- no
matter how totalitarian you are in your security policies -- and the most
important thing is to educate everyone about the factors driving the
security architecture. Maybe you make fundamental changes in response to
the incident, or maybe you just try to educate everyone a little better, but
hopefully in either case learn something along the way.
dp
-----Original Message-----
From: Sean Donelan [mailto:[email protected]]
Sent: Tuesday, April 02, 2002 10:18 PM
To: Christopher E. Brown
Cc: NANOG
Subject: Re: How to get better security people
On Tue, 2 Apr 2002, Christopher E. Brown wrote:
> I think it comes down to being able to deal creatively with a
> lack of total control, and find ways to limit what you cannot
> eliminate.
Security specialists can't be everywhere, can't do everything, and
can't stop every bad thing. The reality is the people who have
the biggest impact on security don't have security in their job
title. Instead of a neighborhood watch do we need a network watch?
While we need a few people with "deep" security knowledge, we also
need to spread a thin layer of security pixie dust throughout the
entire organization.
Is it really a lack of control. While some security specilists
carry a big stick, on most projects security is just one of
many specialities required to work together. If you are a
security specialist, just getting invited to a project before
its finished is a major accomplishment.
|