Firewall Wizards mailing list archives
RE: The Future of Security
From: Eric Budke <budke () budke com>
Date: Thu, 02 Dec 1999 12:47:24 -0500
At 09:14 PM 12/1/99 , Randy Witlicki wrote:
I'm interested here about where you say "complaints come from everywhere you look." From "inside" (e.g: this mailing list, the Usenix Security conference, etc. - where the techies are found) - the perspective is that the "poor quality" comes from things like the InfoSec division of a brand name big accounting firm sending out an intern with a laptop loaded with ISS (or some other security scanner) to do an audit of a client. The network and system administrators at the client see this and are chuckling over their coffee or Mt. Dews about the yoo-yoo sent out to do the audit. This is the *stereotype* of poor quality from the techie viewpoint.
Well, as a semi-current techie who's currently at one of the accounting firms (not as an intern) I haven't run into a lot of clients who would appear to be active readers of this list or others like it. I'm not sure how many other people use their personal email accounts on lists like this, but if you look at many of the "from" addresses, there isn't much fortune 500 penetration. I suppose for the list it is a good thing (quality is up). But regardless of what may seem like the outrageous rates we charge, there are a lot of sites that have trouble keeping some fairly static systems up, let alone closing off r-services.
Not that we enjoy sitting there running the scanner every now and then, but why, if the administrator community (as a whole) is so good, do the scanners generate so many findings when they are run on a network? A commercial scanner is a commercial scanner. They ARE available outside of the consulting firms. Many of them even give partial how-to's in fixing the problems...yet there are still a bunch of findings.
I'm sure that there are all sorts of excuses for the current state of many of the problems. But the blame is easy to place all over the place. Vendors and administrator/users have tons of problems with incompatibility. Very few solutions scale well, and it is rare that it is easy. Users blame vendors, vendors blame users.
If there were an overabundance of people doing good quality work, we'd have to find a different profession. Remember that what may seem easy to you, is often black magic to most others. Try going back and explaining to a grandmother over the phone, the concept of a reply button in an email program. I think she's looking for the key on the keyboard (bringing images of Homer searching for the any-key).
Do you think management - whose eyes glaze over when the techies walk into the room - also think there is rampant poor quality in the Computer Security racket ? What drives their perceptions ?
I'm not sure many of them even think there is a problem with computer security. But for those that do, it isn't hard to point to the press. Between Forbes, Time, Newsweek, and your daily paper, there has been an ever increasing number of articles (assuming they can read).
Yours in asking for hundreds of dollars per hour without blinking, - Randy -
-- PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt
Current thread:
- Re: The Future of Security Damir Rajnovic (Dec 01)
- Re: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Don Helms (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- Re: The Future of Security Don Helms (Dec 03)
- <Possible follow-ups>
- RE: The Future of Security Crumrine, Gary L (Dec 01)
- RE: The Future of Security Randy Witlicki (Dec 02)
- RE: The Future of Security Eric Budke (Dec 03)
- RE: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Randy Witlicki (Dec 02)
- Re: The Future of Security Rick Smith (Dec 03)
- Re: The Future of Security David LeBlanc (Dec 06)
- RE: The Future of Security Scott, Richard (Dec 03)
- RE: The Future of Security Scott, Richard (Dec 05)
- RE: The Future of Security R. DuFresne (Dec 06)
- Re: The Future of Security ark (Dec 06)
- RE: The Future of Security Rick Smith (Dec 06)
- Re: The Future of Security Randy Witlicki (Dec 06)
- Re: The Future of Security David LeBlanc (Dec 06)
(Thread continues...)
- Re: The Future of Security Randy Witlicki (Dec 02)