RE: Border Security System Left Open

["StyleWar" <stylewar () cox net>]

Comments embedded 

> -----Original Message-----
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of 
> Valdis.Kletnieks () vt edu
> Sent: Friday, April 14, 2006 12:01 PM
> To: nick () virus-l demon co uk
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Border Security System Left Open 
>
> On Fri, 14 Apr 2006 13:32:41 +1200, Nick FitzGerald said:
> > Fergie wrote:

[snip]

 
> You *do* realize that DHS got a whole whopping 'F' grade on 
> the latest GAO computer security scorecard, didn't you?

ooooooooo don't get me started!

I would be careful about how much stock I put in that grade....It may seem
like a simple thing to say "well they got an F - things must SUCK" ... maybe
they do...But my experience says that the auditors who help produce those
grades are just as (if not more) likely to be guilty of incompetence as
those they're grading.

Admittedly, sometimes its just the structure of the audit program, not the
auditor him/herself.  But audit programs demand policies and procedures
legislate everything from the dangers of persistent cookies to what specific
steps to take to patch a specific system type.  Doesn't matter if your
vendor already has a procedure... if you don't have a copy on your own
letterhead, you'll track a finding for a year on it.

And despite what you're actually DOING maybe you'll get an F from some 22
year old CPA with a "firewalls for dummies" book in one hand, and an audit
program that says you need a procedure in the other.


> > Why are "sensitive" systems such as these on networks where 
> they _can_ 
> > be exposed to network-spreading malware or [D]DoS attacks?
>
> Because the people at DHS are too busy playing 'Security 
> Theatre' and defending against 'movie plot' threats to 
> actually secure anything.

lol - 9/11 WAS a movie plot threat Valdis.  

Either way, another thing that the government has way too much of, and
that's reporting on reports that were reported in the last report. Too much
time measuring problems, rather than fixing them.
 
> You can hardly blame them, though.  Really good security is 
> nearly invisible, and John Q. Public will mistake it for not 
> doing anything.  Doing idiotic things that piss John Q. off 
> in the name of security makes John Q. think that Something Is 
> Being Done.

Hrm...Decent security with the average system today is *easy* compared to
the difficulty of dispelling the myths that get propagated by auditors who
are just good enough to sound like they know what they're talking about, but
not good enough to suggest anything more valuable than the legislation of
common sense through policy and procedure.

/rant

-

StyleWar


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.