How does one find a "clueful" person to hire? Can you recognize one by their
hat or badge of office? Is there a guild to which they all belong? If one
wants to get a "clue", how does one find a master to join as an apprentice?
I would argue that sooner or later network security must become an
engineering discipline whose practitioners can design a security system
that cost-effectively meets the unique needs of each client.
Engineering requires that well-accepted ("best") practices be documented
and adopted by all practicioners. Over time, there emerges a body of such
best practices which provide a foundation upon which new technologies and
practices are adopted as technical concensus emerges among the practicioners.
Part of the training of an engineer involves learning the existing body of
best practices. Engineering also is quantitative, which means that design
incorporates measurements and calculations so that the solution is good
enough to to the job required, but no more, albeit with commonly accepted
margins of safety.
Society requires that some kinds of engineers be licensed because they
are responsible for the safety of others, such as engineers who design
buildings, bridges, roads, nuclear power plants, sanitation, etc. However,
some are not (yet?) required to be licensed, like engineers who design cars,
trucks, buses, ships, airplanes, factory process control systems and the
computer networks that monitor and control them.
This is therefore a request for all of those who possess this "clue" to
write down their wisdom and share it with the rest of us, so we can
address what clearly is a need for discipline in the design of networks
and network security, since computer networks are an infrastructure upon
which people are becoming dependent, even to the point of their personal
safety.
- Andy
How does one find a "clueful" person to hire? Can you recognize one by
their hat or badge of office? Is there a guild to which they all belong?
If one wants to get a "clue", how does one find a master to join as an
apprentice?
In the long term one might presume market forces would provide better
answers than speculation & ...
Society requires that some kinds of engineers be licensed
... economic theory suggests that licensing etc. is only a good idea when
the externalities of failure cases exceed the benefits of licensing by more
than the costs of its imposition (including barriers to entry etc.).
I do not think we have come to the point where this has been
demonstrated yet. Note licensing does not have a 100% success
record in protecting against failure (viz. Andersen).
This is therefore a request for all of those who possess this "clue" to
write down their wisdom and share it with the rest of us, so we can
This industry has been pretty good at that, despite recent economic
circumstances militating against it. No argument there.
Alex Bligh
I can't tell you what clue is, but I know when I don't see it. In some
cases our clients have had Code Red, Nimda, and Sapphire hit the same
friggin machines.
To borrow from the exploding car analogy, if you're the highway dept. and
you notice that only *some* people's cars seem to explode, maybe you build
the equivalent of an HOV lane with concrete dividers, and funnel them all
into it, so at least they don't blow up the more conscientious
drivers/mechanics in the next lane over.
Providers who were negatively affected might want to look at their lists,
compare with past incident lists and schedule a maintenance window to
aggregate the repeat offenders ports where feasible, to isolate impact of
the next worm.
We've tried to share clue with clients via security announcements,
encouraging everyone to get on their vendors' security lists, follow
BUGTRAQ, and provide relevant signup URLs.
Mike