Full Disclosure: Re: What the f*** is going on?

[jf <jf () ownco net>]

> "Doing security" really isn't that hard.  Behind all the fancy appliances 
> and gee-whiz technology, the underlying principle is, don't unnecessarily 
> expose your assets to attack.
eyeroll, thanks for the clarification.

 
> This boils down to a few simple things:
> 1) Don't allow users to create simple passwords.
> 2) Don't allow admins to forego routine patching
> 3) Don't allow poor configuration of applications
> 4) Don't allow services that aren't vetted and authorized
to think I wasted all this money on SANS...

(how come no one ever points out that rate-limiting failed logins is probably more important than password complexity?)
 
> Those four simple rules will go a long way toward reducing your attack 
> surface enough that the "routine" "hackers" will move on to easier targets. 
> Depending upon your infrastructure, some of this can be automated, but the 
> bottom line for good security is auditing.  Know what your assets are. 
> Know what the weaknesses are.  Do everything you can do to avoid 
> unnecessary exposure.
> You're not going to stop a determined adversary from getting in.  There is 
> always a weakness somewhere that can be leveraged to gain further access. 
> But if you forgo routine patching, allow lousy passwords, allow poor 
> configuration practices and run services that aren't vetted and authorized, 
> then, well, you're an HBGary clone..
Okay, I think I got it, doing security is not hard, duh! You should listen to me, but hey, youre still gonna get owned, 
but really... this security stuff is e-z.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/