What could have been done differently?
Andy Putnins
putnins at lett.com
Tue Jan 28 16:42:32 UTC 2003
On Tue, 28 Jan 2003 10:42:05 -0000 Alex Bligh wrote:
>
> Sean,
>
> --On 28 January 2003 03:10 -0500 Sean Donelan <sean at donelan.com> wrote:
>
> > Are there practical answers that actually work in the real world with
> > real users and real business needs?
>
> 1. Employ clueful staff
> 2. Make their operating environment (procedures etc.) best able
> to exploit their clue
>
> In the general case this is a people issue. Sure there are piles of
> whizzbang technical solutions that address individual problems (some of
> which your clueful staff might even think of themselves), but in the final
> analysis, having people with clue architect, develop and operate your
> systems is far more important than anything CapEx will buy you alone.
>
> Note it is not difficult to envisage how this attack could have been
> far far worse with a few code changes...
>
> Alex Bligh
How does one find a "clueful" person to hire? Can you recognize one by their
hat or badge of office? Is there a guild to which they all belong? If one
wants to get a "clue", how does one find a master to join as an apprentice?
I would argue that sooner or later network security must become an
engineering discipline whose practitioners can design a security system
that cost-effectively meets the unique needs of each client.
Engineering requires that well-accepted ("best") practices be documented
and adopted by all practicioners. Over time, there emerges a body of such
best practices which provide a foundation upon which new technologies and
practices are adopted as technical concensus emerges among the practicioners.
Part of the training of an engineer involves learning the existing body of
best practices. Engineering also is quantitative, which means that design
incorporates measurements and calculations so that the solution is good
enough to to the job required, but no more, albeit with commonly accepted
margins of safety.
Society requires that some kinds of engineers be licensed because they
are responsible for the safety of others, such as engineers who design
buildings, bridges, roads, nuclear power plants, sanitation, etc. However,
some are not (yet?) required to be licensed, like engineers who design cars,
trucks, buses, ships, airplanes, factory process control systems and the
computer networks that monitor and control them.
This is therefore a request for all of those who possess this "clue" to
write down their wisdom and share it with the rest of us, so we can
address what clearly is a need for discipline in the design of networks
and network security, since computer networks are an infrastructure upon
which people are becoming dependent, even to the point of their personal
safety.
- Andy
More information about the NANOG
mailing list