mailing list archives
Re: RE: In defense of non standard ports
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 2 Feb 2006 16:17:15 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 1 Feb 2006, Paul D. Robertson wrote:
On Fri, 27 Jan 2006, R. DuFresne wrote:
I had to stop here, for the term "security professionals" is a hard one to
define, does this imply certified persons? Also, working for a state gov,
No, it means people getting paid to do security work. That implies that
management is willing to pay *something* for ongoing security.
Which then begs for another definition, that being how does one define
"security work"? Doing a default nessus run and sedning the default
nessus report up through mgt chanins to me is negligent, lacks any value
add that any lower or mid level admin might have been capable of in the
first place, and yet, that is the vaule-add-less security we pay for here
I can state plainly, security professionals/certified persons means little
where I ern a paycheck, as they tend to have certs indeed, and yet lack a
skill tween the whole group of 10 or so, in fact we could hire monkeys to
accomplish the same "scan reports" that are the height of their abilities.
While I'm constantly dismayed by the lack of true understanding in the
field, that doesn't abate the fact that someone's paying for something
Again, merely paying does not in any form really imply a value, does it?
One can well paty for a service or commodity and still end up getting
Now to the end of the statement, do they have pull with mgt? Well, they
are pulling in a far different diredtion the more they tend to ruffle
whole departments by crying wolf <sorry, no that trojan port your nessus
scan spotteed means less this month then it did last month you spewed it
up the mgt hill on our RACF mainframe, or sorry no your nessus skills are
not truely honed if you think pcanywhere is running on that solaris box>.
But it's a long climb from "Hey, you're a computer person, here's a
security hat" to "Hey, let's hire some security people." That's a big
jump forward- NOW we need to direct that energy more productively. That's
why I think we need to go back and start rattling firewall ruleset cages
instead of looking at shiney IDS reports, we've now got to get some
common, solid, understood security baseline industry-wide, otherwise we
all get painted with the "ineffective" brush.
And just because a person has passed a CISSP exam and will acquiese to
wearing a tie all day at work, unless they have some background technical
skills in the OS/HW at hand, that does not make those paid monkeys real
security persons in any sense of the word. so, mgt giving sway to their
alerts and flag waving can in many cases end up being worse then the case
before a "special" security team was adopted. Now I have to admit, this
is far from the norm, but it does happen, and I live it.
We have more personell that do not work with ISO with a clue towards
security in their prospective realm/OS/platform or on a whole then any of
the certified monkeys that ISO has hired to "secure" this state, and the
more pull with mgt thet have means the worse things get with each new
project rolled out...
It's a problem many would be happy to have- the assault has begun, you
have a gun, it's just pointed at your own foot. You can adjust your aim-
some folks out there are still trying to get to step one. We do need to
get people away from thinking IDS reports are filled with security-fu.
IDS reports whether from infront of the fw or border router or behind are
no more a security-fu then a unskilled monkey running nessus on an OS that
they are clueless about in the first place and running those fal;se
positive prone reports up through mgt and the gov's offices as I've
witnessed, unless one puts a real definition to the terms at hand,
properly definging securiy person, security skills, and defining vaule-add
from skills, training, and experience. One can add a security
dept/role/persons to the payroll and actually end up taking two or more
HUGE steps backwards.
How many here have taken Avishai's study and compared it to their own
rulesets? Their business partners? Forwarded a synopsis or copy up the
I've earned in gov settings one does not do things like this, not unless
they are a highly paid contrator brought in to assess a setup that has
issue with potential fixes. And in our case gartner has certainly
provided such assesments that lead to our current set of monkey wrenches
in the mix.
I know this digresses alot from the original argument, unless one actually
is providing defininitions to things like IDS, HIDS, NIDS as well. Proper
definitions from the onset. But, perhaps again I digress...
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
firewall-wizards mailing list
firewall-wizards () honor icsalabs com