Who is more knowledgeable when it comes to computer security?

[mohaughn]

It's been my experience that only when forced into high level assurance through compliance auditing, usually by the government, will companies care enough to spend the money on formal security methodologies. The same can be said for any one of the CMM models. If the company isn't required to insure that their processes are that defined and repeatable they simply won't do it. It is to hard to sell a formal security model based on the idea that it is better, even if the cost/risk analysis shows that it is the best option to follow. But like Catch said, sometimes even the threat of going to jail can't make the managers care. Most companies in the US are being destroyed by the stock market and wall street investors, because the stock price is the only concern. They could care less about the security of their private customer information, or the quality of the product they are providing, but that is an entirely different conversation.

I think a lot of this has to do with the knowledge of the managers, both senior and middle, and the knowledge of the IT staff. The IT staffs are mostly misinformed about what is good security, many times always beating the "use Unix" horse, and not understanding the merits of good policy regardless of the OS. These managers are supposed to be visionary and set the tone and direction of the company for years to follow, but because of the short-sightedness on the stock price, they can't get past this quarters dividends.

I believe this will change as more PhD's become the CSO's of the major corporations. I know that I've seen major changes at my company, and we are still no where near what the formal security models call for. But it is a major step in the right direction. I've seen way to many CSO's and CTO's that are just buddy buddy with the CEO or someone on the board of directors. Most of them have MBA's, but no formal IT security training, certainly not at the masters or PhD level. They just happened to go to school with the president or are some other way in the "good ol'boys club" and can talk the executive talk...

[FlockofSeagulls]

One day good TOSs will be widely available for cheap, and the need for talented admins will be thrown out the window. I feel good times are gonna roll for you guys in the higher up positions in the future.

[Maestr0]

"One day good TOSs will be widely available for cheap"

Yes. Its called Red Hat Enterprise Linux 5

"the need for talented admins will be thrown out the window"

Sure. These complex systems will admin themselves, and Google will rename itself Skynet and send a killer robot back in time to assasinate the leader of the human resistance.


-Maestr0

[catch]

Yes. Its called Red Hat Enterprise Linux 5

Hahahahahahahahahahaha

Sure. These complex systems will admin themselves

Actually, high assurance systems are simpler in design than low assurance ones... they just cost more to develop and comments like this push an unjustified stigma.

cheers,

catch

[FlockofSeagulls]

I about spewed my drink on my monitor when I read that.

This is blasphemy, these little dinky systems trying to stand up to the yardsticks of the industry, trying to step up to the same plateaus as the greats. That camp is trying to squeak one in under the radar, find every loophole they can with patches. You think your little precious lunix is gonna come out of the hall of trials a star? Step up to the dock master oh wise one. Please tell me now; what is the targeted class or level of trust? A1... steak sauce...the only place they'll see that is at the college waffle house. You think just naming the OS enterprise edition demonstrates corporate-level support? One technical point of contact, one public point of contact......this is gonna be like Regis who wants to be a millionaire.... "I'll take a lifeline on the first question ~ lunix". How are they gonna give a number on the amount of personal enhancing and/or maintaining the proposed product? I bet that's one dirty, crumbled college petition. Is this product in use......yes it's the super-dooper special kernel, currently in use in room 420, in the dorms at Mississippi state. Yeah, I see another super special kernel arise in the next five years? God I'd love to get a fifth copy of that proposal package to thumb through, is it open source too? Hope ya come with good documentation; you only get one phone call out. Hope you were thinking of (PA) psychological acceptability... Take a note from princeton " one of the most important aspect of the security system". Oh, and remain timely while you're at it. I can see now this will definitely be an evaluation for security enhancements for an existing product. "Hahhahahahahahahh" is what you're gonna bell when you read its "written product proposal". And that **** better address all of the requirements of a given class of the Clockwork Orange Book too. Let's play hardball.

[gore]

Could you make that post ANY harder to read? Good God you babbled on like the art teacher on LSD. And for God's sakes have you ever heard of making spaces in between paragraphs?

So these uber alles systems you're talking about that are 200 times better than anything Linux, could you name a few? Catch, do NOT help him, I know you know of TOS but that dude sounded a lot like a newbie trying to kiss your ass.

[FlockofSeagulls]

A CDROM of this website is also available.

http://www.radium.ncsc.mil/tpep/library/hard-dist.html

[gore]

*Sigh*

www.google.com

TOS

I'm feelin' lucky.... Maybe not in that order but it's not good enough.

[FlockofSeagulls]

A CDROM of this website is also available.

http://www.radium.ncsc.mil/tpep/library/hard-dist.html

[Maestr0]

"Actually,high assurance systems are simpler in design than low assurance ones... they just cost more to develop and comments like this push an unjustified stigma."

Oh? Which high-assurance systems are still commercially available and currently evaluated that I'm stigmatizing? Name one OS that is CC evaluated above SLES 9 (thats Suse Linux Enterprise 9) besides IBM's PR/SM.

-Maestr0




EDIT:
"what is the targeted class or level of trust? A1" TSEC is superseded by CC dipshit. Talk to me when you leave your gainful employ at Wafflehouse. In the mean time get me a coffe with cream