Neil's News

OU-M886 (Security)

5 March 2005

Anyone who has crossed swords with me on a computer knows that I have a thing about security. Having worn both white and black hats (as well as a few grey ones) I've seen the issues from both sides. So it was with considerable excitement that I took the course on Information Security Management. What was special about this course is that it made a point of avoiding discussions about specific threats. Specific threats (like the latest ActiveX buffer overflow) come and go. General principles (like the proverbial Trojan Horse) last for millennia.

There are all sorts of juicy high-level issues:

  • Security through obscurity, what is its value and under what circumstances does one use it?
  • Social engineering, what defences work against this? [I'm still searching...]
  • Penetration testing, how accurately does it model real world attacks?
  • Honeypots, how does one use bait to distract or catch attackers?
  • Disclosure, when you find a hole, how do you inform only the white hats?
  • Detection, how do you know if you've been cracked?
  • Cleanup, after a penetration how does one get back to a trusted system?

This course didn't mention any of the above points. Not even in passing. All they were interested in was walking through an implementation of "BS 7799". This document is a closed security standard. My digital copy of it is watermarked with my name and protected with a DRM system. Because of the EULA, if I were to explain what's in it I'd be liable for expulsion and/or prosecution. The most I can say is that it follows the following pattern:

  1. Document your systems.
  2. ???
  3. Secure!

The course even admits that step 2 is not addressed since it would vary for each organisation. In all fairness to "BS 7799", I don't see that one could write a useful security standard that would apply to all organisations. Other than "Look really hard at your systems then do something about whatever you find". What is exceptionally neat about this document is the ingenious matrix of responsibility handoffs which are established within an organisation as it implements the scheme. The result is that when one is successfully hacked, nobody in the organisation is to blame. While this is not an advertised feature, I believe this is the reason "BS 7799" is popular within government departments and larger businesses.

Once again I'm faced with the choice of preparing challenging, truthful, yet unorthodox assignments versus swallowing my ethics and dry-labbing something big and worthless. One gets high marks, one gets failing marks. Which gets which quickly becomes obvious, but each term I hope in vain for a different result.

Update: I can't take this any more. I've handed in a completely honest final assignment which rips the BS 7799 process to shreds. In an attempt to cover myself, the footnotes and apendicies far outweigh the body. Probably the stupidest thing I've done -- since the last time I was completely honest. Let's see what happens...

If you've emailed me in the past month, and I haven't replied, I do apologise. The combination of full-time work and near course-overload status has me at a disadvantage. As a result I missed FOSDEM, again. Things will get somewhat easier in May.

< Previous | Next >

Legal yada yada: My views do not necessarily represent those of my employer or my goldfish.