-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 16 Jun 2005, Jay D. Dyson wrote:
--[PinePGP]--------------------------------------------------[begin]--
On Wed, 15 Jun 2005, Dave wrote:
Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln scans,
AND performing penetration testing. Any industry guideline or resource
would never allow this "definition".
It's said that the Giraffe was a Horse designed by committee.
With that in mind, what you're seeing are security decisions made by
committee as well.
Sadly, a lot of agencies (government, corporate and alleged
institutions of higher learning) have the same approach. Managerial
politics and sales drones are more influential in policy decisions than
the input of clued security people. That's why we have 99% of the messes
we see today.
As a consequence, rather than having said organizations do some
serious legwork and construct a solution appropriate to IT requirements,
the managerial types tend to simply buy the sizzle of a salesman and go
with Brand X's COTS solution (sic). Similarly, Open Source solutions and
methodologies (most of which are far superior to COTS in most every
respect) are eschewed because "they cannot be trusted" and "they have no
tech support." (Their reasons, not mine.)
The solution? If you can find one, I'll put in a good word for
you at the Norwegian Nobel Committee. My successes in this area have been
limited to picking up the pieces after things go to hell and slowly
cultivating opportunities in which I can influence, alter, or annihilate
said policies. It ain't for the faint of heart.
In many cases it is even more complex. Remember security is a process of
applying shims and fixes to a set of protocols that were not designed with
security in mind, in other words it is a refurbishing or remodeling of
something already in place, rather then building from the ground up
something new. And when mgt of many orgs is informed that they really do
need to build from the ground up to address properly their now
functionally inadaquet design flaws, that they lack the infrastructure to
accomplish many of their needs and goals they start to p00p their pants.
And they'll sit in those p00ped pants a long long time avoiding this, as
much as techs would with having to renumber 1500+ systems to accommodate
NAT in their new env...
Security, while being a buzzword and ringing all sorts of alarm bells and
clang-ons all over the place, makes folks reluctant to really push the
resources and funds into takes to do it correctly. Everyone has the
attitude that it should be something that slips in under the hood, quietly
and has no null or newly complex effects upon how things have "always"
been done. no one wants to face the real cost of doing things right, in
actual funds, let alone resources and changing old habits. Thus to
continual GAO bad report cards of various federal agencies, let alone
those at the state and county gov levels.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCscV5st+vzJSwZikRAkOrAJ0e/n1t84+7xYEJ45vjso3ylRc+MwCePi93
oN3Nmg5GyYmfpe4tz5qMDwo=
=iqop
-----END PGP SIGNATURE-----
