Information Technology Reference
In-Depth Information
“Houston, we have a problem!” And then, and I am talking from an operation's portion
of a CERT team, we do not necessarily have to deal with media. Perhaps, but more
importantly from a CIS perspective, I want to be able to figure out what kind of force of
actions I need to take. What can I do to actually trace the source and how do I deal with
other nations and services to do that, because a NATO standpoint would be that our
networks are at risk. So what is the course of action? What are our options? And
finally, what do we do to minimise the risk in the future? But I think we cannot just take
a civilian CERT model. We have got to militarise it to use it in the NATO network and I
am speaking about the NATO secret plan and possibly higher level networks.
Buyukoner
: Of course NATO does have a security policy for its own networks or
systems and even today with nineteen different nations; but my opinion is that NATO has
to establish a security policy for the systems it uses, otherwise who is going to establish
that policy?
Kolobov
: A systems administrator is not smart enough and will make a mistake in a
production system and a huge hole in our protection will appear. I think that one of the
most important stages in the preparation of a protection system should be the education
of staff, to be sure that people are capable of making the configuration that certifies
software and hardware needs. Perhaps you have issued regulations or instructions to be
sure that you are careful about the quality of your staff and its understanding of the rules.
Uneri
: I would say that using cerified tools is a required thing, but it is not enough.
The personnel using these tools should also be certified and audited. Certified, cleared
personnel can of course do something wrong by mistake or by intentional purpose. What
they do should be monitored and looked at periodically; that is what we do in my
country.
Gabovych
: It is more interesting to think of who will measure the level of operational
staff; tts level of knowledge and accuracy. Technology and software can be provided,
but who will certify the engineers? They have already been proven, have already been
checked by the company security, but who will choose the level of their workability
within your system?
Uneri
: From the perspective of my country, when we look at a person, we look at his
experience and also for a certificate. Some certificates are not required now in Turkey,
but we are planning to use the American certificate.
Karabacak
: Technical training is an important complement, and technical training
may be the result of this management process and could be part of a security policy.
Valente
: I think that one of the most important modules of the whole system, and you
refer it in your conclusion, are the operating systems. And once again we get back to
another question about hierarchical monolithical structures or responding to threats with
distributed decentralised systems. I really do not believe in certification systems. You
said that having a certification is at least having something. I do not agree. If you give
me a certified closed system, for me that certification is not worth one bit. I believe in
open systems, systems that we can use to look at the source code and know what is going
Search WWH ::
Custom Search