Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: death of the security community

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: death of the security community
Date: Thu, 23 Mar 2006 09:06:41 +1100 

Hi
Well, not so much that they do not want to be secure, but rather that we
as human's in general do not comprehend and respond to risk in a logical
manner. People (generalised) are afraid to fly, but they get in a car
after a few drinks.

The threats people perceive are tainted by their experiences. People do
not look at life quantitatively. They do not assess the true level of
threat and impact.

So it is not that people do not want to be insecure, they rather fail to
understand that they are insecure. The levels of FUD have created a
situation where security professionals are seen to being crying wolf.

Regards
Craig

-----Original Message-----
From: Hat Trick [mailto:hattrickinc@gmail.com]
Sent: 23 March 2006 12:59
To: Craig Wright
Cc: Bob Radvanovsky; John Vill; security-basics@securityfocus.com
Subject: Re: death of the security community

You know what I think it is, I think it's because no one really wants to
be secure anymore, because they won't be able to play their 'yahoo
games' correctly. I've gone into small company's and told them how they
need to be secure, and mentioned to cut out all this garbage downloading
that I know is full of spyware and just waiting to fill the rest of the
hd with crap, and they just brush it off because 'it won't happen to
them, it never has'
..just my opinion

On 3/21/06, Craig Wright <cwright@bdosyd.com.au> wrote:


And the links now that I have looked are:
http://www.ranum.com/security/computer_security/audio/index.html

Regards
Craig


-----Original Message-----
From: Craig Wright
Sent: 22 March 2006 8:00
To: 'Bob Radvanovsky'; John Vill; security-basics@securityfocus.com
Subject: RE: death of the security community

Hi,
Answer time...
"Is there such a thing as a 'script kiddie security analyst'?"
Yes, the term script kiddie was formulated over a decade ago by Marcus



Ranum to describe the "Big 6" (at the time - Big 4 now) "security
consultants" how where doing scripted tests. A junior staff member
would do the work from a form created by the manager and hence

leverage.


As bob put it - Google away - there is more than enough proof. I
believe it was also in the Blackhat 2000 keynote from Marcus. I am
sure that Marcus will have this on his site. This would be the "Script



Kiddies Suck" talk.

Re. "security assessment". The issue is with the wording. All
professional audit firms are covered in law at least in the "West"
(and I will not speak for more than the G8 and Australia) when the
wording of Audit is used.

It is true that the contract will worm around this. It will be an
"assessment", a "review" or a "agreed procedures process" etc. If you
want to have a real test, than it has to be wording using the correct
legal terms. Even than many times the work will be inadequate, but at
least there are consequences if the word audit is used. There is
liability for the audit firm if you can demonstrate a lack of due care



(i.e. scripted tests).

The test is are they willing to give an audit certificate? What is
contained in the audit certificate? Are they just stating BS or are
they stating they have tested the systems and controls?



Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: application for an employment, Kurt Reimer
Next by Date:  SF new article announcement: Learning an advanced skillset, Kelly Martin
Previous by Thread:  Re: death of the security community, Hat Trick
Next by Thread:  RE: death of the security community, Craddock, Larry
Indexes:  [Date] [Thread] [Top] [All Lists]