(no subject)

["Clemens, Dan" <Dan.Clemens () healthsouth com>]

Just a few small comments:



<snip>

Jesper is Program Manager for Security Policy at Microsoft. In this
position, he is responsible for the tools customers use to implement
security policies, such as the Security Configuration Wizard, Security
Configuration Editor, and related tools. He has delivered speeches on
network security all over the world and is a frequent speaker at
conferences and workshops, particularly in places that lend themselves
to great diving. He has a Ph.D. in Management Information Systems and is
a Certified Information Systems Security Professional (CISSP) and a
certified Information Systems Security Architecture Professional
(ISSAP).

<snip>



"One of the great mysteries in security management is the modus operandi
of an attacker. What is it that attackers do, and how do they do it?"



This isn't the goal of security management or risk management.

The goal is to mitigate risk, and looking for remediations on known
vulnerabilities and unknown vulnerabilities.



Looking at Jesper's bio I am more than willing to bet his perspective is
risk management(another word for politics) in contrast to actual
prevention.



"Although attacking networks can be fun and informative-not to mention
illegal if you do not have all the proper permissions-the fact remains
that the vast majority of us do not need to know how to do so."



This is completely why there is a problem. If everyone knew how things
were done and what items where exploitable and how they would design
things a bit better and manage things better.



"Frankly, becoming a good penetration tester (pen tester) takes more
than a week-long class. It takes commitment, dedication, intuition, and
technical savvy, not to mention a blatant disregard for the rules and
the right way to do things. Those are not skills that most security
administrators have, or need in many cases."





Gosh. Ok this is crap.

Every "Security Administrator" needs to be a good pen tester along with
a good reader, good system administrator, and a good thinker.



If we replace "good pentester" with "critical thinker" the above
sentence sounds allot different.



"Critical thinking....Those are not skills most security administrators
have, or need in many cases..."





"In most cases, it is cheaper and more effective to hire someone to
perform penetration tests. Professional penetration testers are going to
be much more capable of finding problems, as well as articulating what
led to those problems."



-        Rephrased with critical thinking:

"In most cases, it is cheaper and more effective to hire someone to
perform critical thinking tests. Professional critical thinkers are
going to be much more capable of finding problems, as well as
articulating what led to those problems."



Is it cheaper to hire good security engineers that don't do anything or
think critically?



This seems to show me the author is definitely in the business of risk
management and politics and not in the business of security.





Chapter 8 sticks out "Taking over the Domain".



- What if the end network doesn't run Microsoft, is there a Domain?



Ok... anyhow this article is more about risk management and not risk
mitigation and the assumptions made by the author seem to be large.



I only got about halfway through the article but it seemed to me the
author may be looking through some

Microsoft-centric lenses.



It's amazing how a one degree change in perspective can change how
administrators think critically about system administration.



-Daniel





Confidentiality Notice: This e-mail communication and any attachments may contain
confidential and privileged information for the use of the designated recipients named above. If
you are not the intended recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination, distribution or
copying of it or its contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and deleting it from your
computer. Thank you.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave