three high points for CERT security presentation at SDSC...

Barbara Fraser from CERT was in san diego today and gave a presentation on CERT and trends in security. since her laptop fried, it was more a discussion than a presentation. three big messages i got:

  1. downstream liability - you and your clients are liable for attacks launched off of your machines and networks. you can be sued if your security weakness allowed someone to launch an attack via your server or network upon a third party. there is an effort to pass 'good samaritan' legislation for security -- similar to the legislation for Y2K that says you should make every effort to prepare and prevent Y2K problems, document it, share what you learn, and are then supposedly not sue-able for Y2K problems. but at the moment, YOU are liable.
  2. security service - we have talked on and off about offering a security audit service. the Internet Engineering Task Force is writing a document with suggested standards for this kind of service, and questions that customers of security audit services should ask. the draft document or RFC is available somewhere under the abyss of www.ietf.org.
  3. rfp's - the speaker pointed out that a lot of security crises postmortem shows that there was no specification of any sort for security when the network/computers were setup. she suggests that all rfp's you author include specific security provisions to ensure security and prevent finger-pointing in the event that your security is compromised. CERT/ietf is writing up advice on this -- i believe it is also an ietf working draft or rfc and is available online.

some little notes of interest

copyright  ©  December 11 2018 sean dreilinger url: https://durak.org/sean/pubs/security/fraser-cert-talk.php