On Mon, Mar 30, 2015 at 8:38 AM, S Moonesamy <sm+mu_at_elandsys.com> wrote:
> Hello,
>
> I wrote about the "Improved Framework for Incident Handling" paper (
> http://www.elandsys.com/~sm/cert-mu-improved-framework-incident-review.html
> ).
>
Hi SM.
I read your review.
First, It seems to be that the proposed framework is largely about
networking monitoring. The trouble with the policy is that it doesn't
answer questions like:
"If there is a critical vulnerability with say OpenSSL that would
allow a remote attacker to execute code and capture private key
(heartbleed), how will the government, Private companies, and other
institutions such as the air port co-ordinate themselves to fix the
infrastructure".
SMEs need to be involve as well. If a company outsources part of its
operation to a small company, there we can end up with a scenario
where the big company's infrastructure is patched but the small
company isn't. When sensitive data has been passed to the SME, it also
impacts the security of the big company.
I think that there isn't enough consideration as to what are the
consequences of simply putting a box, and tell everybody: Hey, we fix
the child pornography issue.
That is what was done in Mauritius:
https://www.icta.mu/it/csa_faq.html
However, has there been an analysis as to how it impacts security ?
If the box strips SSL layer to analyse the contents, then it might
lead to SSL downgrade attacks. So no matter how strong I beef the SSL
security on my server in Europe, or the US, The content filtering box
will (silently) downgrade to a lower cipher and make make "secure" SSL
connection less secure. This is surprisingly common.
So by trying to solve a problem, they introduce another problem. I
think that there needs to be more "check and balance". Before
introducing solutions like this, they should seek input from the local
ICT and Internet Community.
> Regards,
> S. Moonesamy
>
>
--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Received on Tue Mar 31 2015 - 06:45:59 PST