Conclusion in Red Team Overview

From: Alan Dechert <dechert_at_gmail_dot_com>
Date: Fri Jul 27 2007 - 19:39:59 CDT

In the conclusion of the "Overview of Red Team Reports"
( ) Matt
Bishop wrote,

     ...judging the vulnerability of a system requires
     understanding both the nature and the implementation
     of the policies and procedures under which it is
     used. A system that has 10 vulnerabilities that can
     be remediated by proper, realistic procedures can
     meet a set of requirements better than a system with
     only one vulnerability that cannot be remediated by
     realistic procedures. As the red teams ignored
     compensating controls and mitigations, the raw counts
     of successful, unsuccessful, and untried attacks do
     not indicate which would still be successful in the
     face of compensating controls -- and how realistic
     those compensating controls would be.


In the comment I submitted
( ) to
the SoS on March 29, I said,

> We are concerned that your proposed review focuses
> too narrowly on the equipment. Administrative factors
> have a lot to do with whether or not current systems
> can be used in a satisfactory manner. ...

Sorry, I was trying to save space.

Alan D.

OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue Jul 31 23:17:06 2007

This archive was generated by hypermail 2.1.8 : Tue Jul 31 2007 - 23:17:08 CDT