Firewall Wizards mailing list archives

Re: RE: In defense of non standard ports

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 2 Feb 2006 16:17:15 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 1 Feb 2006, Paul D. Robertson wrote:

On Fri, 27 Jan 2006, R. DuFresne wrote:

I had to stop here, for the term "security professionals" is a hard one to
define, does this imply certified persons?  Also, working for a state gov,


No, it means people getting paid to do security work.  That implies that
management is willing to pay *something* for ongoing security.

Which then begs for another definition, that being how does one define"security work"? Doing a default nessus run and sedning the defaultnessus report up through mgt chanins to me is negligent, lacks any valueadd that any lower or mid level admin might have been capable of in thefirst place, and yet, that is the vaule-add-less security we pay for here<smile>.

I can state plainly, security professionals/certified persons means little
where I ern a paycheck, as they tend to have certs indeed, and yet lack a
skill tween the whole group of 10 or so, in fact we could hire monkeys to
accomplish the same "scan reports" that are the height of their abilities.


While I'm constantly dismayed by the lack of true understanding in the
field, that doesn't abate the fact that someone's paying for something
security-ish.

Again, merely paying does not in any form really imply a value, does it?One can well paty for a service or commodity and still end up gettingscrewed.

Now to the end of the statement, do they have pull with mgt?  Well, they
are pulling in a far different diredtion the more they tend to ruffle
whole departments by crying wolf <sorry, no that trojan port your nessus
scan spotteed means less this month then it did last month you spewed it
up the mgt hill on our RACF mainframe, or sorry no your nessus skills are
not truely honed if you think pcanywhere is running on that solaris box>.


But it's a long climb from "Hey, you're a computer person, here's a
security hat" to "Hey, let's hire some security people."  That's a big
jump forward- NOW we need to direct that energy more productively.  That's
why I think we need to go back and start rattling firewall ruleset cages
instead of looking at shiney IDS reports, we've now got to get some
common, solid, understood security baseline industry-wide, otherwise we
all get painted with the "ineffective" brush.

And just because a person has passed a CISSP exam and will acquiese towearing a tie all day at work, unless they have some background technicalskills in the OS/HW at hand, that does not make those paid monkeys realsecurity persons in any sense of the word. so, mgt giving sway to theiralerts and flag waving can in many cases end up being worse then the casebefore a "special" security team was adopted. Now I have to admit, thisis far from the norm, but it does happen, and I live it.

We have more personell that do not work with ISO with a clue towards
security in their prospective realm/OS/platform or on a whole then any of
the certified monkeys that ISO has hired to "secure" this state, and the
more pull with mgt thet have means the worse things get with each new
project rolled out...


It's a problem many would be happy to have- the assault has begun, you
have a gun, it's just pointed at your own foot.  You can adjust your aim-
some folks out there are still trying to get to step one.  We do need to
get people away from thinking IDS reports are filled with security-fu.

IDS reports whether from infront of the fw or border router or behind areno more a security-fu then a unskilled monkey running nessus on an OS thatthey are clueless about in the first place and running those fal;sepositive prone reports up through mgt and the gov's offices as I'vewitnessed, unless one puts a real definition to the terms at hand,properly definging securiy person, security skills, and defining vaule-addfrom skills, training, and experience. One can add a securitydept/role/persons to the payroll and actually end up taking two or moreHUGE steps backwards.

How many here have taken Avishai's study and compared it to their own
rulesets?  Their business partners?  Forwarded a synopsis or copy up the
chain?

I've earned in gov settings one does not do things like this, not unlessthey are a highly paid contrator brought in to assess a setup that hasissue with potential fixes. And in our case gartner has certainlyprovided such assesments that lead to our current set of monkey wrenchesin the mix.

I know this digresses alot from the original argument, unless one actuallyis providing defininitions to things like IDS, HIDS, NIDS as well. Properdefinitions from the onset. But, perhaps again I digress...



Thanks,

Ron DuFresne

- --~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD4nbest+vzJSwZikRAhUYAKCY74wtbsu2/FAya3CGP/PVQpEGvACgvU+V
vQRvp2dvTlxN0CiPRh5BlIg=
=yRT1
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: RE: In defense of non standard ports R. DuFresne (Feb 01)
- RE: RE: In defense of non standard ports Jim Seymour (Feb 02)
- <Possible follow-ups>
- Re: RE: In defense of non standard ports R. DuFresne (Feb 01)
  - Re: RE: In defense of non standard ports Paul D. Robertson (Feb 02)
    - RE: RE: In defense of non standard ports Bill Royds (Feb 02)
    - RE: RE: In defense of non standard ports R. DuFresne (Feb 20)
    - Re: RE: In defense of non standard ports R. DuFresne (Feb 02)