Dailydave mailing list archives
(no subject)
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Thu, 7 Jul 2005 12:52:12 -0500
Just a few small comments: <snip> Jesper is Program Manager for Security Policy at Microsoft. In this position, he is responsible for the tools customers use to implement security policies, such as the Security Configuration Wizard, Security Configuration Editor, and related tools. He has delivered speeches on network security all over the world and is a frequent speaker at conferences and workshops, particularly in places that lend themselves to great diving. He has a Ph.D. in Management Information Systems and is a Certified Information Systems Security Professional (CISSP) and a certified Information Systems Security Architecture Professional (ISSAP). <snip> "One of the great mysteries in security management is the modus operandi of an attacker. What is it that attackers do, and how do they do it?" This isn't the goal of security management or risk management. The goal is to mitigate risk, and looking for remediations on known vulnerabilities and unknown vulnerabilities. Looking at Jesper's bio I am more than willing to bet his perspective is risk management(another word for politics) in contrast to actual prevention. "Although attacking networks can be fun and informative-not to mention illegal if you do not have all the proper permissions-the fact remains that the vast majority of us do not need to know how to do so." This is completely why there is a problem. If everyone knew how things were done and what items where exploitable and how they would design things a bit better and manage things better. "Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things. Those are not skills that most security administrators have, or need in many cases." Gosh. Ok this is crap. Every "Security Administrator" needs to be a good pen tester along with a good reader, good system administrator, and a good thinker. If we replace "good pentester" with "critical thinker" the above sentence sounds allot different. "Critical thinking....Those are not skills most security administrators have, or need in many cases..." "In most cases, it is cheaper and more effective to hire someone to perform penetration tests. Professional penetration testers are going to be much more capable of finding problems, as well as articulating what led to those problems." - Rephrased with critical thinking: "In most cases, it is cheaper and more effective to hire someone to perform critical thinking tests. Professional critical thinkers are going to be much more capable of finding problems, as well as articulating what led to those problems." Is it cheaper to hire good security engineers that don't do anything or think critically? This seems to show me the author is definitely in the business of risk management and politics and not in the business of security. Chapter 8 sticks out "Taking over the Domain". - What if the end network doesn't run Microsoft, is there a Domain? Ok... anyhow this article is more about risk management and not risk mitigation and the assumptions made by the author seem to be large. I only got about halfway through the article but it seemed to me the author may be looking through some Microsoft-centric lenses. It's amazing how a one degree change in perspective can change how administrators think critically about system administration. -Daniel Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- (no subject) Clemens, Dan (Jul 07)