July 25, 2004 at 6:42 pm
I'm at the Black Hat conference in Las Vegas. If anyone else is here, perhaps we could meet up. Any case, there's wireless access, so I'm going to try and post some news each day in the forum. The first two days I'm here (Mon and Tue) are training, so most likely I'll be posting on Wed and Thurs.
If you aren't familiar with Black Hat:
K. Brian Kelley
@kbriankelley
July 26, 2004 at 9:45 pm
First day of training was fairly interesting. I'm taking the Enterprise Security course. Basically it's looking at a model for putting into place a sound security mechanism within an organization. A few key points:
- Security personnel advise business personnel. Ultimately, business personnel must make the determination on risk because only they tend to have a full view of the business.
- Security must be comprehensive within the organization. Expecting a few security folks to do it all isn't going to help when someone shares a password with another co-worker or someone walks in the backdoor and gets immediate access.
- Understand your assets, the realistic threats, and develop the possible attack mechanisms. Get with the business side to determine the potential business impact. Security folks can tell the organization the technical impact, but again, business impact lies in the hands of the business personnel. By looking at all the information together, sound policies and procedures which make sense for the organization can be developed.
- Along those lines, do write policies and procedures that make sense for the organization. Pulling something off the shelf and saying that's the security policy or trying to retrofit one in order to meet an audit means the policies and procedures won't be followed because they don't "fit." What good is a policy if everyone is non-compliant?
- Security which prevents the business from functioning is useless. There is always a trade-off. Hence the reason risk must be assessed. If ulimate security is desired, unplug the system and bury it in concrete somewhere with guards, fences, dogs, etc. It'll be useless for the business but it'll be a whole lot more secure than on the wire.
If you've worked in security for any length of time, all of this should be familiar. However, these are listed as key concepts (they aren't all of them but ones which seemed to keep coming back up). Probably the hardest one is for security to understand we are ultimately best suited in an advisory role. But then again, so is all technology. Technology meets the needs of business in order to increase profitability. Information security is no different.
K. Brian Kelley
@kbriankelley
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply