'Re: Re: Risk Analysis and Common Criteria'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Re: Risk Analysis and Common Criteria
From:       "yannick san" <yannicksan () free ! fr>
Date:       2003-04-24 14:00:45
[Download RAW message or body]

Sorry, I didn't really finished what I should have said and thank you Mr
Anders for responding.
You're right, mailling security interviews in plain text could be considered
as a security failure in the process of doing it. In the best security
pratices, the mails should be encrypted but this requires to think about
what kind of cryptographie we should use because we will have to exchange
(at less) keys. Public keys or a secret one used by every engineers
concerned... depends if we use symetric or assymetric cryptographie...
I was not talking about sending mails over the net, but for sure that could
have been interpreted like that. Here we should really think about how
echanging the interviews and results. When I answered to Ness, I was
thinking about doing that echanges in the "trusted" zone... Anyway, you're
right, cryptographie should be applied in both case... but considering the
problem of using cryptographie, I think that should be asked during a
companie brefing. Just because, we're not only installing somethings for
avoiding information to be send in plain text but real mecanisms are going
to be installed. The mecanisms chosen will be refered in the security policy
of the companie. As I'm concerned I think this problem is a full subject of
study.
About BS or CC... yes one will not replace the other.

Yannick
Information Security Engineer


----- Original Message -----
From: "Anders Reed Mohn" <anders_rm@utepils.com>
To: "yannick san" <yannicksan@free.fr>; "security_ness"
<security_ness@tiscali.it>
Cc: "Security Basics List (SecurityFocus)"
<security-basics@securityfocus.com>
Sent: Thursday, April 24, 2003 12:13 PM
Subject: Re: Re: Risk Analysis and Common Criteria


>
> > you have to interviews everybody in charge of what you will study
> > later... [..] You can do that by mails.
>
> E-mails?  Careful ..  you don't want them confessing their security holes
> in plaintext all over the Net.
>
> > BS7799 seems to be the futur standard used.
>
> BS7799 applies more generally to information security, doesn't it?
> (Haven't studied it, just heard about it) The CC are computer specific.
> So one should not replace the other.
>
> Cheers,
> Anders :)
>
>



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic