Thursday, October 25, 2007

Community SANS Boston 2007 day 4

I'm blogging live from Community SANS Boston 2007.

Today we finished up the Crypto domain, and completed Operations Security. Loads of great comments from class. We discussed fairness (and legality) in regards to internet history searches. Many of us had been in the position where a manger will say "John Doe is wasting time on the internet: show me a history of his internet usage."

I believe that you don't use technology to solve a personnel problem. If an employee is 'wasting time' on the internet, they could be wasting time in other ways, such as on the phone, long breaks, playing games, etc. It's not a technology problem; it's a management problem.

If you were to discipline 'John' for non-business internet usage, you should ask yourself: how many other employees use the internet just as much (or more) for non business purposes? Are you holding them to the same level of scrutiny as you are holding John? If not, you may have legal issues.

Nick brought in a few books today, including the aformentioned The Code Book by Simon Singh. Also the classics The Cuckoo's Egg by Clifford Stoll, and The Art of Deception by Kevin Mitnick.

The Code Book opens with the Story of Mary Queen of Scots: she was executed for attempting to overthrow the British throne, and implement Catholic rule in Britain. Often left out of the history books is the fact that cryptanalysis lead to her death: Queen Elizabeth was hesitant to execute her cousin, until the proof of treason was revealed when Mary's encrypted letters were decrypted.