[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-Disclosure Posts

Hey there Jan,

 

First let me say that I understand what you?re trying to say here, but I don?t 
agree with the way you expressed it. You mention that the point of ?hiring 
people who don?t know much? is to ensure that people are following ?policy and 
procedure and comply with audit?.

 

You also mentioned that security methodologies can be maintained by ?ordinary 
computer folk?.

 

I know that sometimes due to email... meanings can get misconstrued. Jan, maybe 
you were thinking one thing but it came out another way? 

 

Here is my point and tell me if you agree? first off and as we know security 
should be a lifecycle process and can be likened to an organic function in that 
it is always changing. You need to adjust your security measures to address 
ever changing threats. Consider a simple firewall rule base? sure you can set 
it up and forget about it, but chances are when the next exploit comes out that 
targets some authorized port, your current security stance becomes obsolete. An 
?ordinary computer person? is not going to have the skills to know how to 
research latest threats or how they need to adjust these security rules to 
provide the protection you need.

 

The same can be said of an Info Sec policy? this document needs to be revisited 
on a periodic basis to make sure that the rules it lays out are in accord with 
necessary security practices. If the person doesn?t know much in the way of 
security then this creates a liability for the company in which he is employed 
as the policy will not address needed areas. Imagine an engineer who doesn?t 
understand HIPAA requirements and allows people on his network to send out 
patient info in the clear. Sure.. this works from a networking and tech point 
of view, but from a security perspective it?s a total failure.

 

Security is another animal when you compare it with basic computer techs and 
engineers. Not that they are less talented? they just focus on a different 
discipline. The same way you wouldn?t send in a lawyer to do a triple bypass 
surgery, you can?t expect a computer tech or server admin to be able to address 
security needs if they haven?t been trained to do so.

 

Just some thoughts.

 

Jesse



On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M
wrote:
> Oh yeah and we can trust you bozos not to put in backdoors, sploits and other
> great modes of entry yeah right. 8->, Hire the burgler to secure your home,
> yeah right? Doh!

Just because J.Random Hacker starts out as an immature 17 year old
script kiddie breaking into random systems doesn't mean (assume he
avoids prison) he can't grow up to become a mature "security
professional" who knows how to follow a policy procedure, comply with
audit, and work a 9-to-5 job.

Scratch a thirty-something lead InfoSec consultant from any major
consulting firm (including the big four), and chances are you'll find
a "31337 Hax0r" from the 90's.

And this is excluding the obvious L0pht->@Stake->Symantec progression.
People mature over time, grow into a more "professional" attitude
without losing the inventiveness and insight that makes them
effective.


> Sheessh what a stupid idea?
> 
> The whole point of hiring people who don't know much is that they follow
> a policy procedure and comply with audit, I have yet to see a H&ck3r follow 
> any
> procedure. So how do you control anything such as policy etc, the wild west 
> again?
> You hire professional security people to maintain control, not chaos, and 
> find methodologies
> procedures and products that are the most effective, test, re-test, 
> remediate, deploy and defend.
> And that can be maintained and operated by ordinary computer folk, who want 
> to do an honest days
> work and collect their rightful pay, but maybe you never thought of that!

Sure, bean counters have their place too.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!