Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: RE: In defense of non standard ports
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 2 Feb 2006 16:17:15 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 1 Feb 2006, Paul D. Robertson wrote:

On Fri, 27 Jan 2006, R. DuFresne wrote:

I had to stop here, for the term "security professionals" is a hard one to
define, does this imply certified persons?  Also, working for a state gov,

No, it means people getting paid to do security work.  That implies that
management is willing to pay *something* for ongoing security.


Which then begs for another definition, that being how does one define "security work"? Doing a default nessus run and sedning the default nessus report up through mgt chanins to me is negligent, lacks any value add that any lower or mid level admin might have been capable of in the first place, and yet, that is the vaule-add-less security we pay for here <smile>.



I can state plainly, security professionals/certified persons means little
where I ern a paycheck, as they tend to have certs indeed, and yet lack a
skill tween the whole group of 10 or so, in fact we could hire monkeys to
accomplish the same "scan reports" that are the height of their abilities.

While I'm constantly dismayed by the lack of true understanding in the
field, that doesn't abate the fact that someone's paying for something
security-ish.


Again, merely paying does not in any form really imply a value, does it? One can well paty for a service or commodity and still end up getting screwed.

Now to the end of the statement, do they have pull with mgt?  Well, they
are pulling in a far different diredtion the more they tend to ruffle
whole departments by crying wolf <sorry, no that trojan port your nessus
scan spotteed means less this month then it did last month you spewed it
up the mgt hill on our RACF mainframe, or sorry no your nessus skills are
not truely honed if you think pcanywhere is running on that solaris box>.

But it's a long climb from "Hey, you're a computer person, here's a
security hat" to "Hey, let's hire some security people."  That's a big
jump forward- NOW we need to direct that energy more productively.  That's
why I think we need to go back and start rattling firewall ruleset cages
instead of looking at shiney IDS reports, we've now got to get some
common, solid, understood security baseline industry-wide, otherwise we
all get painted with the "ineffective" brush.



And just because a person has passed a CISSP exam and will acquiese to wearing a tie all day at work, unless they have some background technical skills in the OS/HW at hand, that does not make those paid monkeys real security persons in any sense of the word. so, mgt giving sway to their alerts and flag waving can in many cases end up being worse then the case before a "special" security team was adopted. Now I have to admit, this is far from the norm, but it does happen, and I live it.


We have more personell that do not work with ISO with a clue towards
security in their prospective realm/OS/platform or on a whole then any of
the certified monkeys that ISO has hired to "secure" this state, and the
more pull with mgt thet have means the worse things get with each new
project rolled out...


It's a problem many would be happy to have- the assault has begun, you
have a gun, it's just pointed at your own foot.  You can adjust your aim-
some folks out there are still trying to get to step one.  We do need to
get people away from thinking IDS reports are filled with security-fu.


IDS reports whether from infront of the fw or border router or behind are no more a security-fu then a unskilled monkey running nessus on an OS that they are clueless about in the first place and running those fal;se positive prone reports up through mgt and the gov's offices as I've witnessed, unless one puts a real definition to the terms at hand, properly definging securiy person, security skills, and defining vaule-add from skills, training, and experience. One can add a security dept/role/persons to the payroll and actually end up taking two or more HUGE steps backwards.


How many here have taken Avishai's study and compared it to their own
rulesets?  Their business partners?  Forwarded a synopsis or copy up the
chain?

I've earned in gov settings one does not do things like this, not unless they are a highly paid contrator brought in to assess a setup that has issue with potential fixes. And in our case gartner has certainly provided such assesments that lead to our current set of monkey wrenches in the mix.

I know this digresses alot from the original argument, unless one actually is providing defininitions to things like IDS, HIDS, NIDS as well. Proper definitions from the onset. But, perhaps again I digress...


Thanks,

Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD4nbest+vzJSwZikRAhUYAKCY74wtbsu2/FAya3CGP/PVQpEGvACgvU+V
vQRvp2dvTlxN0CiPRh5BlIg=
=yRT1
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault