Security Basics mailing list archives
RE: death of the security community
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 23 Mar 2006 09:06:41 +1100
Hi Well, not so much that they do not want to be secure, but rather that we as human's in general do not comprehend and respond to risk in a logical manner. People (generalised) are afraid to fly, but they get in a car after a few drinks. The threats people perceive are tainted by their experiences. People do not look at life quantitatively. They do not assess the true level of threat and impact. So it is not that people do not want to be insecure, they rather fail to understand that they are insecure. The levels of FUD have created a situation where security professionals are seen to being crying wolf. Regards Craig -----Original Message----- From: Hat Trick [mailto:hattrickinc () gmail com] Sent: 23 March 2006 12:59 To: Craig Wright Cc: Bob Radvanovsky; John Vill; security-basics () securityfocus com Subject: Re: death of the security community You know what I think it is, I think it's because no one really wants to be secure anymore, because they won't be able to play their 'yahoo games' correctly. I've gone into small company's and told them how they need to be secure, and mentioned to cut out all this garbage downloading that I know is full of spyware and just waiting to fill the rest of the hd with crap, and they just brush it off because 'it won't happen to them, it never has' ..just my opinion On 3/21/06, Craig Wright <cwright () bdosyd com au> wrote:
And the links now that I have looked are: http://www.ranum.com/security/computer_security/audio/index.html Regards Craig -----Original Message----- From: Craig Wright Sent: 22 March 2006 8:00 To: 'Bob Radvanovsky'; John Vill; security-basics () securityfocus com Subject: RE: death of the security community Hi, Answer time... "Is there such a thing as a 'script kiddie security analyst'?" Yes, the term script kiddie was formulated over a decade ago by Marcus
Ranum to describe the "Big 6" (at the time - Big 4 now) "security consultants" how where doing scripted tests. A junior staff member would do the work from a form created by the manager and hence
leverage.
As bob put it - Google away - there is more than enough proof. I believe it was also in the Blackhat 2000 keynote from Marcus. I am sure that Marcus will have this on his site. This would be the "Script
Kiddies Suck" talk. Re. "security assessment". The issue is with the wording. All professional audit firms are covered in law at least in the "West" (and I will not speak for more than the G8 and Australia) when the wording of Audit is used. It is true that the contract will worm around this. It will be an "assessment", a "review" or a "agreed procedures process" etc. If you want to have a real test, than it has to be wording using the correct legal terms. Even than many times the work will be inadequate, but at least there are consequences if the word audit is used. There is liability for the audit firm if you can demonstrate a lack of due care
(i.e. scripted tests). The test is are they willing to give an audit certificate? What is contained in the audit certificate? Are they just stating BS or are they stating they have tested the systems and controls?
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- death of the security community buriedanonymous (Mar 20)
- RE: death of the security community John Vill (Mar 20)
- RE: death of the security community Keith Morgan (Mar 21)
- Re: death of the security community Miguel Dilaj (Mar 20)
- <Possible follow-ups>
- RE: death of the security community Craig Wright (Mar 20)
- RE: death of the security community Craig Wright (Mar 21)
- RE: death of the security community Bob Radvanovsky (Mar 21)
- RE: death of the security community Craig Wright (Mar 21)
- RE: death of the security community Craig Wright (Mar 21)
- Re: death of the security community Hat Trick (Mar 22)
- RE: death of the security community Craig Wright (Mar 24)
- RE: death of the security community Craddock, Larry (Mar 27)
- RE: death of the security community Craig Wright (Mar 28)
- RE: death of the security community John Vill (Mar 20)