funsec mailing list archives
RE: Border Security System Left Open
From: "StyleWar" <stylewar () cox net>
Date: Sat, 15 Apr 2006 00:13:04 -0500
Comments embedded
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Valdis.Kletnieks () vt edu Sent: Friday, April 14, 2006 12:01 PM To: nick () virus-l demon co uk Cc: funsec () linuxbox org Subject: Re: [funsec] Border Security System Left Open On Fri, 14 Apr 2006 13:32:41 +1200, Nick FitzGerald said:Fergie wrote:
[snip]
You *do* realize that DHS got a whole whopping 'F' grade on the latest GAO computer security scorecard, didn't you?
ooooooooo don't get me started! I would be careful about how much stock I put in that grade....It may seem like a simple thing to say "well they got an F - things must SUCK" ... maybe they do...But my experience says that the auditors who help produce those grades are just as (if not more) likely to be guilty of incompetence as those they're grading. Admittedly, sometimes its just the structure of the audit program, not the auditor him/herself. But audit programs demand policies and procedures legislate everything from the dangers of persistent cookies to what specific steps to take to patch a specific system type. Doesn't matter if your vendor already has a procedure... if you don't have a copy on your own letterhead, you'll track a finding for a year on it. And despite what you're actually DOING maybe you'll get an F from some 22 year old CPA with a "firewalls for dummies" book in one hand, and an audit program that says you need a procedure in the other.
Why are "sensitive" systems such as these on networks wherethey _can_be exposed to network-spreading malware or [D]DoS attacks?Because the people at DHS are too busy playing 'Security Theatre' and defending against 'movie plot' threats to actually secure anything.
lol - 9/11 WAS a movie plot threat Valdis. Either way, another thing that the government has way too much of, and that's reporting on reports that were reported in the last report. Too much time measuring problems, rather than fixing them.
You can hardly blame them, though. Really good security is nearly invisible, and John Q. Public will mistake it for not doing anything. Doing idiotic things that piss John Q. off in the name of security makes John Q. think that Something Is Being Done.
Hrm...Decent security with the average system today is *easy* compared to the difficulty of dispelling the myths that get propagated by auditors who are just good enough to sound like they know what they're talking about, but not good enough to suggest anything more valuable than the legislation of common sense through policy and procedure. /rant - StyleWar _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Border Security System Left Open Fergie (Apr 12)
- Re: Border Security System Left Open Nick FitzGerald (Apr 13)
- Re: Border Security System Left Open Valdis . Kletnieks (Apr 14)
- Re: Border Security System Left Open Dude VanWinkle (Apr 14)
- RE: Border Security System Left Open StyleWar (Apr 14)
- RE: Border Security System Left Open James Kehl (Apr 15)
- Re: Border Security System Left Open Dude VanWinkle (Apr 15)
- Re: Border Security System Left Open Dude VanWinkle (Apr 15)
- RE: Border Security System Left Open StyleWar (Apr 15)
- Re: Border Security System Left Open Valdis . Kletnieks (Apr 15)
- RE: Border Security System Left Open StyleWar (Apr 16)
- Re: Border Security System Left Open Valdis . Kletnieks (Apr 16)
- Re: Border Security System Left Open Valdis . Kletnieks (Apr 14)
- Re: Border Security System Left Open Nick FitzGerald (Apr 13)
- <Possible follow-ups>
- Re: Border Security System Left Open Fergie (Apr 13)