At 12:10 PM 8/22/00 -0500, [EMAIL PROTECTED] wrote:
>#It does matter how the information is stored, there is a lot of liability
>#regarding what information can be deemed confidential, restricted
>#etc. Particular if a government agency is turning the information over to
>
>#an online security service.
>
>#This thread is not to promote Network ICE products or it's service, but
>#this thread is a general inquiry on the value of online security service
>#type companies that was mentioned in Wired a month or two ago.
>
>
>1. I agree. It DOES matter how the information is stored. I was trying
>to state that is does not matter how securely you store confidential
>information if you give untrustworthy people access to that information. I
>just didn't state myself as clearly as I would have liked.
No comment, since this could start a flame war on good versus bad infosec
folk.. :)
>2. I do not see any value in these companies. I think that the companies
>you are talking about are just trying to create a buzz and become the next
>thing that all the managers, CEOs, and CIOs want done because it shows they
>care about security.
CIO's and CEO's read about security portals and how can allow them to
understand the needs and somehow briefly provide them a visualization how
corporate security professionals use the Internet to expand their knowledge
and an organization's business. The buzz word is "best-of-breed information
security products" So they are trying to say the information that is
currently available is not enough. How is the information any different,
do they have more inner knowledge then the rest of us?? One such firms
advertise that by ensuring the availability, integrity and privacy of
mission-critical business information through managing risk, they can ease
the information security burden of an IT security group or an organization
in order to concentrate on the core business. Hmm, this point if quite
interesting.. I don't know one would actually accomplish this, but time
will tell.
How does a organization like this become a trusted advisor of an
organization by identifying known technical vulnerabilities and delivering
with some process?? Is there is some new technology in retrieving
information from various web sites, vendors, etc, and collecting them into
a database that has changed in the last 4 months???
>3. I do see value in companies that manage all of the security. They
>administer the firewalls, network intrusion, write up recommendations for
>patch levels on production servers and all of that. That would allow a
>company to not go through the difficulty of having a security group. Since
>it is expensive to have a security group this could save costs and possibly
>provide a better caliber of person than could be hired independantly.
The value is that an organization still have to have people with caliber in
order to cross-check the information an online security service is
providing them. It is very possible that one receive a report identifying
certain systems as vulnerable when a simple check could simply point out
that the system does not exist..
>Regards,
>Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
