Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Where to start
From: Andrew J Caines <A.J.Caines () halplant com>
Date: Tue, 9 Mar 2004 11:51:59 -0500


In case it wasn't obvious, you are in essence asking how to become
experienced. The answer is, as always, experience.

Does a good security-officer have to know everything about every hole?

Of course not. A good security professional (or amateur) will however know
about the many types of vulnerabilities, exploits, attacks, defences and
most importantly where to find the detailed information on specific
threats and which ones are relevant.

I myself don't think so, but where do people start?

If you're not working within the systems or network security field, then
becoming involved with the community through its information sources (such
as this list), combined with as much practical experience as your
resources allow is probably the best way to get started.

These days it's enough to operate a system with a connection to the
Internet to enjoy a substantial amount of experience of real-world
threats and (one hopes) how to defend against them.

If I see lists and forums about network-security it seems that everybody
knows a lot and has a huge reference base. Is this true?

If someone is smarter or more knowledgeable than you, then it is normally
impossible to tell _how much_ smarter or more knowledgeable they are. As
you learn, you'll evolve a picture of the distribution of expertise.

I want to learn more about security stuff, but I can't find the real
basics to build upon anywhere.

In my opinion, it's important to understand what "security" is before
getting too caught up in the systems, tools and activities. For this I
can't think of anything better than reading Bruce Schneier's "Secrets and
Lies" (and his new book, "Beyond Fear"), along with his "Crypto-Gram"
newsletter. [I don't get any kickbacks, but wouldn't say no if offered!]

If there is one fault most prevalent in people working in the field, it's
that they lack contextual understanding and focus too closely on the
specifics of tools and methods; a typical case of not seeing woods for
trees. This is an understandable condition, given the nature of the field,
as I mention below.

When there are posts on lists they presume that everybody has a certain
knowledge level and are aware of best practices. But is this true?

Of course, it is necessarily so. Everyone addresses their intended
audience, however the actual audience will only approximately match the
intended one.

I'm sure almost none of us completely understand all the issues discussed
on this list and a similar number will agree on which practices are "best".

Just because there are discussions, it seems that there is not one overall
and central way of keeping track of evolving issues.

The field is changing and expanding so rapidly and has such ill-defined
borders, it's impossible to establish and achieve broad consensus on any
kind of central repository or authority. Even if such a thing could exist,
it would not be desirable anyway. There have been and will continue to be
some worthwhile efforts at centralising information, such as CERT[2],
SANS[3], CVE[4], CIAC[5], etc. but their value changes over time.

Experience in the field includes getting to know the value, as well as the
location, of the many information sources.

How do people keep track easily with up to date best practices and not get
distracted by "old" advisory?

By keeping a vigilant watch on what's going on outside your walls, as well
as what goes on inside and passes through them. When you can, learn from
others' mistakes before you have to learn from yours. See what other
people do, but with a highly critical eye.

Knowing what really counts as "Best Practice" is a bit like knowing
perfect truth in that it's more a goal than an achievement. What's more,
it's a moving goal.

On of the trickiest things these days is distinguishing between valuable
and accurate information and snake oil, especially since both can come
from the same source. Consider the source as well as the information.

In the spirit of vague generalisations and pontification, I'll close by
reminding everyone that in the end it's not about the systems, the
networks or even the data you protect, but the people who use it. Of
course they also happen to be your biggest problem.

        "Security is not a dirty word, Blackadder. Crevice is a
         dirty word, but security isn't!" - General Sir Anthony
         Cecil Hogmanay Melchett, "Blackadder Goes Forth"

[1] http://www.schneier.com/
[2] http://www.cert.org/
[3] http://www.sans.org/
[4] http://cve.mitre.org/
[5] http://www.ciac.org/

| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines () halplant com  |
| "They that can give up essential liberty to obtain a little temporary |
|  safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]