On Fri, 20 Feb 1998, Mark Teicher wrote:
> I tend to disagree with you on some of your points, since currently and
> looking at some of the traffic on some other firewall moderated list, it
> seems there are lot more people with very little knowledge in the security
> auditng field and firewall field than there were before.
That's because the field is growing, and that will always be the case for
anything which is popular. That doesn't mean that those of us in the
line of fire should accept the solutions offered by those who would
profit from that over those which help to solve it. I've said it before,
and I'll say it again: Attacks are becoming increasingly complex, and
administrators are increasingly less qualified. Audits do not change
that problem to any significant degree.
> There is no standard or entrance to the security auditing field, anyone
> can join and any firm can join, use a few of the common tools available
> and boom you are a bonafide security auditor. More or less the transition
> of people from one field to another does require quite a bit training. I
> feel that the CISSP and other conference offerings may help the industry.
I don't. I think the CISSP and conference offerings address the problem of
how audit firm X gets into the dollars spent in the security industry, not
the problem of security for information systems, which should be the focus.
If by "help the industry", you mean the auditing industry, then they
certainly will do that. If you mean the information industry which needs
the security, then I disagree.
Audits are *supposed* to _check_ security, not _provide_ it. Until you get
those in the field every day into a program or line of thought,
certification will continue to be self-serving rather than industry-serving.
> I am in the matter that a large nonprofit organization or some sort of
> regulatory commission needs to step in and help sort at the CHAOS, and try
> to lead the industry and organizations down the right path and not the
> wrong. In other words, give the CLUELESS a little bit MORE CLUE..
We've seen it not work for MSC<everything>, CN<anything>, and a host of other
programs which limit the realm to a single vendor. How can we expect to
see it work for complex multiprotocol, multivendor real-world scenerios?
I'm still solving problems in matters of minutes and hours that our
well-degreed, well-certified folks in the trenches have fought with for
weeks and months. That tells me that the processes are broken. I've yet
to see why another certification is going to fix that. The last one
could have been a security event, and if it were, I'm not sure that
having a certified auditor around would have made a great deal of difference.
Sometimes patching the problem isn't as good as fixing it, and certification
programs in the computer industry have a long history of being patches
rather than fixes.
Symptom: There aren't enough certified professionals doing this.
Patch: Certify more of them.
Seems rather Dilbertesque to me. Rather than paving the way for more of
the same, we should be asking if we're looking at the right tool for this
INFOSEC *has* to come from those charged with the daily operational
responsibility. It needs to be measureable at that level if you're to
measure it at all.
If you can't do that, and the guys in the trenches know more than the audit
team, the audit team is *absolutely worthless*. So, it would seem to me that
the problem is one of knowledge, more than one of measurement of knowledge.
I honestly don't think you can provide a complete network security audit
without having been in the trenches dealing with the issues for a few *years*.
Things move to quickly, old things hang around too long, and not doing it for
a while makes you obsolete in short order.
If I were an accountant, could I provide a scheme which would fool any
audit team out there? As a network and system administrator, I'm
confident that I could fool any audit team out there. Certifying the
auditors isn't going to change that anytime soon. Applying the financial
auditor mentality to computer security audits works only in some very
Remember that certifications build a trust boundary, and those of us who
have been doing this for a while are very wary of extending trust without
determining where the failure modes are, and how necessary that extension
is. Whilst saving the sheep from the wolves is always socially
compelling, there are those of us who would argue that dressing the
wolves up as sheep isn't the way to count less wolves.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."