[Ach] 30C3 talk "The Internet (Doesn't) need another security guide"
Andreas Mirbach
a.mirbach at me.com
Tue Jan 14 11:06:50 CET 2014
1. Eva mentioned that bettercrypto.org could use a section on how to convince your boss that the company needs hardened Crypto settings and that the sysadmins should invest time into that. Do you agree with that point of view?
Should we add such a section?
From my experience as a System administrator i can say "Yes we need such a document".
But mostly its not about convincing your Boss that the company needs hardened crypto settings, its about enabling cryptography at all.
If the Boss commits to Security, its the Administrators job to provide a proper Security installation.
The Boss does not need and want any detailed information. He already expects that the company's encryption is secure.
So maybe its not the right place for such a section.
2. Threat modelling: Eva mentioned that most guides first focus on a threat model. We don't really do that so much in ours.
Are we missing something here?
I Don't think that we need a Threat model because it shrinks the focus onto this model. Everything else is left out.
I Think we should provide an overall preventive security configuration and not how to defend specific threats. (Maybe there can be smaller document with different threats that can be referenced)
3. Understanding your target audience: it seems we have been doing something right, because we first focused on our clearly defined target audience. However, I think we need to improve even more in this field: we should hand this guide to multiple sysadmins and let them test the guide and collect as much feedback as possible.
i totally agree...
Mit freundlichen Grüßen
Andreas Mirbach
Zum Römersprudel 101
54294 Trier
+49 160 94980084
On 14 Jan, 2014,at 01:07 AM, "L. Aaron Kaplan" <kaplan at cert.at> wrote:
Hi list,
I finally came around to watching evacide's talk "The Internet (Doesn't) need another security guide" [1]
where she mentions our small project in minute ~ 18 or 19 [2] (Yay! Thanks). Spoiler alert: Eva actually says that we need more (targeted, good, correct and well defined) guides for sure.
It's a good talk and I encourage you to watch it as well.
There are a couple of things that stuck:
1. Eva mentioned that bettercrypto.org could use a section on how to convince your boss that the company needs hardened Crypto settings and that the sysadmins should invest time into that. Do you agree with that point of view?
Should we add such a section?
2. Threat modelling: Eva mentioned that most guides first focus on a threat model. We don't really do that so much in ours.
Are we missing something here?
3. Understanding your target audience: it seems we have been doing something right, because we first focused on our clearly defined target audience. However, I think we need to improve even more in this field: we should hand this guide to multiple sysadmins and let them test the guide and collect as much feedback as possible.
So much for my thoughts after watching this talk.
Hope my thoughts helped or at least inspired you :)
a.
[1] https://www.youtube.com/watch?v=VHgs3YcxzXw
[2] https://www.youtube.com/watch?v=VHgs3YcxzXw&t=18m0s
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
_______________________________________________
Ach mailing list
Ach at lists.cert.at
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140114/8d9c96a6/attachment.html>
More information about the Ach
mailing list