mailing list archives
Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-disclosure Posts
From: Jesse Valentin <jessevalentin () yahoo com>
Date: Wed, 20 Oct 2004 07:50:37 -0700 (PDT)
Hey there Jan,
First let me say that I understand what youre trying to say here, but I dont agree with the way you expressed it. You
mention that the point of hiring people who dont know much is to ensure that people are following policy and
procedure and comply with audit.
You also mentioned that security methodologies can be maintained by ordinary computer folk.
I know that sometimes due to email... meanings can get misconstrued. Jan, maybe you were thinking one thing but it came
out another way?
Here is my point and tell me if you agree
first off and as we know security should be a lifecycle process and can be
likened to an organic function in that it is always changing. You need to adjust your security measures to address ever
changing threats. Consider a simple firewall rule base
sure you can set it up and forget about it, but chances are
when the next exploit comes out that targets some authorized port, your current security stance becomes obsolete. An
ordinary computer person is not going to have the skills to know how to research latest threats or how they need to
adjust these security rules to provide the protection you need.
The same can be said of an Info Sec policy
this document needs to be revisited on a periodic basis to make sure that
the rules it lays out are in accord with necessary security practices. If the person doesnt know much in the way of
security then this creates a liability for the company in which he is employed as the policy will not address needed
areas. Imagine an engineer who doesnt understand HIPAA requirements and allows people on his network to send out
patient info in the clear. Sure.. this works from a networking and tech point of view, but from a security perspective
its a total failure.
Security is another animal when you compare it with basic computer techs and engineers. Not that they are less talented
they just focus on a different discipline. The same way you wouldnt send in a lawyer to do a triple bypass surgery,
you cant expect a computer tech or server admin to be able to address security needs if they havent been trained to
Just some thoughts.
On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M
Oh yeah and we can trust you bozos not to put in backdoors, sploits and other
great modes of entry yeah right. 8->, Hire the burgler to secure your home,
yeah right? Doh!
Just because J.Random Hacker starts out as an immature 17 year old
script kiddie breaking into random systems doesn't mean (assume he
avoids prison) he can't grow up to become a mature "security
professional" who knows how to follow a policy procedure, comply with
audit, and work a 9-to-5 job.
Scratch a thirty-something lead InfoSec consultant from any major
consulting firm (including the big four), and chances are you'll find
a "31337 Hax0r" from the 90's.
And this is excluding the obvious L0pht->@Stake->Symantec progression.
People mature over time, grow into a more "professional" attitude
without losing the inventiveness and insight that makes them
Sheessh what a stupid idea?
The whole point of hiring people who don't know much is that they follow
a policy procedure and comply with audit, I have yet to see a H&ck3r follow any
procedure. So how do you control anything such as policy etc, the wild west again?
You hire professional security people to maintain control, not chaos, and find methodologies
procedures and products that are the most effective, test, re-test, remediate, deploy and defend.
And that can be maintained and operated by ordinary computer folk, who want to do an honest days
work and collect their rightful pay, but maybe you never thought of that!
Sure, bean counters have their place too.
Full-Disclosure - We believe in it.
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!