Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Cyber Security Awareness Month - Day 5: Standards Body Soup, So many Flavors in the bowl. InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 5: Standards Body Soup, So many Flavors in the bowl.

Published: 2012-10-05
Last Updated: 2012-10-05 20:55:30 UTC
by Richard Porter (Version: 6)
2 comment(s)

Introduction

First I would like to say, without our readers and subscribers we would not exist and that we genuinely do read every post. A reader posted a request to break down standards bodies and I decided to take that endeavor on. This now has turned into a larger project than just one diary entry. You will see more on this topic but hopefully today is a good start. This first pass at understanding the different bodies does not include a complete list.

Many of likely heard the quote “The problem with Standards is there are so many to choose from.”  I really don’t know who first uttered that phrase UPDATE: Andrew S. Tanenbaum [3] but it holds true from my point of view. This article will take a 10,000 meter or 30,000 foot view (Depends on if you are metric [1] or imperial Units [2] ) of what I am calling standards body soup. Within this bowl of standards groups there are several types and methods in which they govern. I can make the assumption that most of the readers are familiar with a Request for Comments (RFC) and the group that governs this standards suite is the Internet Engineering Task Force (IETF). So, we will start there and will break down the IEFT into areas for understanding. This will provide a framework for a further list of Standards Bodies.

Breakdown and Terminology

In order to build a table for understanding different standards bodies we will use the following subject areas for columns

Abbreviated Name: The short name or acronym used to reference the organization.
Full Name: The complete name. Sometimes we only know the Acronym.
Web Site: How to find them on the web.
Members and Contributors: Who can and or are members of the standards group.
Role: How do they influence or contribute to industry.
Notable Standards: Standards that might matter to us.

Standards Body Profile

Abbreviated Name: IETF

Full Name: Internet Engineering Task Force

Web Site: www.ietf.org

Members and Contributors:  To Numerous to list. Membership is open to anyone and IETF is comprised of many working groups. A breakdown of working groups can be found at http://www.ietf.org/wg/ but in summary they are open to anyone and usually conduct business over open mailing lists. If there is an RFC that you would like to impact, join the mailing list and begin your journey.

The IETF Is governed by a group called the Internet Society (ISOC) and the board of trusties can be found at http://www.internetsociety.org/who-we-are/board-trustees. With most standards bodies, in our experience, the members are made up from various places. Members will often have a second industry position and their parent company allows them to contribute.

Role:  Internet Standards Governance

 

Notable Security Based Standards: Again there are far too many notable standards to list from IETF but I will list a couple of my favorites.

RFC 2350 – Expectations for Computer Security Incident Response 

http://www.rfc-editor.org/rfc/rfc2350.txt

On occasion we are asked things like “My Company/Group/Team/Org is looking to stand up an Incident Response Team, where do I start?” and in the spirit of the world we live in today I am re-coining a popular phrase to “There’s a Standard for that!”

 

RFC 4949 – Internet Security Glossary, Version 2

http://www.rfc-editor.org/rfc/rfc4949.txt

In case you were wondering, yes there are standards for the standards. This is an informational RFC, which means it is not really a standard but a good reference. 

 

RFC 6618 (Experimental) – Mobile IPv6 Security Framework Using Transport Layer Security for Communication between the Mobile Node and Home Agent

http://datatracker.ietf.org/doc/rfc6618/

The title alone is scary but signs of a mobile world to come. This one is on my watch list.

Table

Please See Spreadsheet for editable details: https://isc.sans.edu/diaryimages/Standards_Framework_Draft.xlsx

(click on image for larger view)

 

References
[1] http://en.wikipedia.org/wiki/Metric_system
[2] http://en.wikipedia.org/wiki/Imperial_units
[3] http://en.wikiquote.org/wiki/Andrew_S._Tanenbaum

 

2 comment(s)
Diary Archives