RE: [IDS] IDS Common Criteria

At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:

>Common Criteria is for those who believe that "security is a process".
>
>Security is not a process. There is no silver bullet that will protect
>you. The Common Criteria process is not a silver bullet.

Security is very much a process. It has a scope that encompasses many concepts that are not addressed from the understandably narrowed focus found in vendor space. Here's just a few of the many issues I'm dealing with these days:

• User education, awareness, and training
• Security policy - network and physical
• Application data flows
• Firewall rules
• HIDS deployment
• NIDS deployment
• Anti-virus deployment and management
• Incident response
• Router and switch hardening policies
• Life-cycle management of all the above and then some

Without a process view of a system like this, none of it works together the way it was intended in the initial design.

Bruce Schneier speaks to the "security is a process" position better than I, but I did want to take a moment to point out some areas that many folks overlook when they talk about security. The broad-scope view makes it all look easy. It's the details that get you killed, figuratively speaking.

I agree there is no single "security silver bullet". If there was one it certainly would not be Common Criteria. It wouldn't it be just "IDS", "Firewall", or "Anti-Virus", either. Without a process-oriented approach to security, the "gun" is in the hands of the enemy rather than in ours.

Best regards,

Randy

• Hyman Rickover ---