How to get better security people

batz batsy at vapour.net
Wed Apr 3 16:02:49 UTC 2002


On Wed, 3 Apr 2002, Sean Donelan wrote:

:Instead of a neighborhood watch do we need a network watch?
:While we need a few people with "deep" security knowledge, we also
:need to spread a thin layer of security pixie dust throughout the
:entire organization.

The NIPC, CERT, OCIPEP(Canada) and other organizations try to 
fill this role. The Incidents mailing list also
tries to do this on a more ad hoc basis, along with the honeynet
projects, and to a great extent Nanog. If ones definition of security 
includes integrity and reliability, then Nanog has been performing
that role since its creation. 

The problem that exists with the neighbourhood watch model is that
it assumes some sort of community and, despite a few exceptions, 
there is no community of internet providers. 

There are communities of network engineers and other specialists, but 
the possibility of corporations getting together with a common goal, 
which may temporarily supercede their individual competetive advantage, 
is just not going to happen. They can have industry associations, lobby 
groups, interest groups, and other representative bodies, but community
is not one of these, and thus any network watch program which depends 
on community will be hampered. 

So, the challenge is to find a model of information sharing in which a 
balance between effectiveness and the protection of competitive information 
that is slanted heavilty to the latter. This on top of providing value
to the participants. 

There are some private security alert services like this. I can personally 
highly recommend the securityfocus ARIS tool and their commercial Threat 
Management System. NAI's virus alert system is excellent, as is 
a similar service from sophos.com. 

The non-classified government briefings I have seen don't really provide 
value from an up to the minute threat analysis perspective. They might
help an executive hold an intelligent conversation on current affairs, 
but they do little for people who are responsible for protecting the
infrastructure.   

Personally, I would like to see a mixture of the MAPS RBL and 
aris.securityfocus.com available, where emerging hostile netblocks
can be blackholed for short periods of time using attack information
gathered from and coroborated by a vast array of diverse sources.  


--
batz




More information about the NANOG mailing list