How do we do our job? (was Re: Network Security Certification)

Bennett Todd
Wed, 29 Apr 1998 08:44:25 -0700

1998-04-29-12:59:54 Darren:
> What it gets down to is that there is risk involved in "being on the
> 'net". Quite a considerable risk, if you were to ask me, given that
> we've heard recently about claims of people getting into classified
> computers.

Claims are cheap. That one hasn't ever been confirmed that I know of,
since the DOD dodges it by defining any computer attached directly or
indirectly to the internet as ``not classified''. This somehow is
supposed to absolve them from any obligation to properly secure their

> If your boss walked in tomorrow and asked you how you knew your
> firewall was protecting you, what would you use as evidence?

I'd point to our security policy. It sketches out the threats, the
liklihood of their materializing, and the severity of danger if they
are, and bases configuration rules and restrictions on these threats and
potential costs. The bulk of all ongoing security maintenance --- after
the trivial bits like responding to crises and tracking new developments
and auditing the implementation --- is constantly revising the security
policy to track evolving threats and business needs.

> If before you connected your site to the 'net you were required to
> have a detailed report of your firewall's strength, what would you do?

When I came to work for my current employer, they were already connected
to the net, with a very very draconian (and hence easy to implement)
policy; there were no publicly-visible servers aside from the SMTP
relay, and only a select handful of protocols were permitted outbound.
Since this predated applets this was super easy to implement securely,
and securely is how it was implemented.

Since then we've grown ghastly threasts like applets (stripped at the
firewall) and we've put a public site out. I was the security architect.
I worked with the designers, sketching out the security model and
controls, with justifications; when the final design was ready to sell
to senior management I was called in to address the security issues,
which I did with a brief sketch of the model and its motivation.

> Sure, there's a handful of people running around who can do this, but
> what assurance do you have that you're getting the right people?

The same assurance you have when getting any kind of people. If you have
the expertise in house to grill the candidate, then you do; if you don't
have that expertise then evaluate candidates based on how well you like
them and the extent and relevance of their claimed experience, then
check their references carefully. This is an old problem with an old and
well-trusted solution.

> Do you look for ISO qualifiactions for their reporting or CISSP exams
> passed [...]

I sure wouldn't, any more than I'd look for certificates when picking a
systems administrator, or a programmer, or anybody else. Certificates
demonstrate a desire to get certificates and a skill at getting
certificates; I've never had any use for that desire and ability.

> [...] or 10 years spent hacking on sendmail [...]

If I were hiring a sendmail hacker this would be a good qualification;
if I were hiring a security admin I'd be looking for knowlege of how to
shield or eliminate sendmails.

> [...] or 10 years spent breaking into .mil sites?

If I were hiring someone to break into .mil sites then this would be a
good criterion; if I were hiring a security admin I'd prefer someone who
spent 10 years keeping people out.