From: Mark Teicher (mht3@earthlink.net)
Date: Wed Jul 13 2005 - 21:33:54 EDT
The dubious part of certification of a network is a "snapshot" in
time. At the particular instance in time that a network or
application can be certified. As in an annual car inspection as
indicated in the latter part of the post. This goes for certain
organization attempting to "tag" their offering as secure during a
staging area prior to arriving and being installed within an
enterprise network. Once IT/Security admins alter a security policy
or a security rule that could possibly compromise the "security
tagging" or "security certification" all bets are off. So if we were
to return to the car inspection example, a car could pass inspection,
receive it's car inspection pass sticker, but the inspection pass
sticker could be compromised as soon as the car pulls away from the
inspecting garage, if a rock jumps up from the road and breaks the
headlight. Now, the car inspection "pass" is compromised.
At 02:27 PM 7/13/2005, Michael Sierchio wrote:
>Tom Van de Wiele wrote:
>>I find the concept of giving someone a certificate for resisting a
>>penetration test very dangerous. Nothing can guarantee that after the
>>test (especially a blind penetration test) all vulnerabilities have
>>been found and identified.
>
>It's all a matter of what the certificate attests to and how it
>is interpreted.
>
>I see nothing wrong with a statement affirming compliance with
>consensus best practice, or acceptable resistance to the known,
>relevant vulnerabilities on a certain date, etc.
>
>This is by no means a guarantee of "safety" or "security," but
>it might be a useful tool in establishing a disciplined approach
>to risk.
>
>Dubious analogy: my mechanic signs an inspection certificate that
>says that the tire pressure, chain tension, steering, brakes, etc.
>are in good condition on my motorcycle -- he's not promising that
>I won't crash.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT