Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale

[H C <keydet89 () yahoo com>]

> You really want to put them out of 
> business?  STOP USING THEIR PRODUCTS.  How many
> other ways can it be said?

Amen.

> It is not like there aren't alternatives out 
> there.  There are other OSes (free & non), other 
> browsers, other free media players, other free
> office suites, etc.

I have StarOffice installed on a Win2K system.  It
works reasonably well, so far, and I've used it to
edit Word and PPT docs that I've transferred from
other machines.

> But as consultants, 
> contractors, and vendors we are not pushing our 
> customers to make the change.  


> Time for a better solution.  

For the time being, can't we recommend to our clients
such things such as ACLs and monitoring?  How about
developing, implementing, and following security
policies and procedures?  Of the few sites that I've
seen that actually have such things, managers have
done very little for holding admins responsible for
actually following the procedures.  Ex: Backup
procedures clearly state that backups will be verified
and stored in an off-site location.  Management did
little to provide an off-site location, so admins were
taking copies home.  When an incident occurred, they
found out that the backups hadn't been verified...

The point is this...if senior management is serious
about security as a whole, they'd provide the
necessary resources...adequate numbers of personnel,
training, etc.  Many times, a lot doesn't get done b/c
the admin staff (a) is too busy w/ helpdesk ops, and
(b) wouldn't really know what to do anyway (how many
times have I asked data center folks for the IIS web
logs and gotten back three files, all ending in
.evt??).

>      If you are serious about this effort, then 
> education and proof are the keys to making it work. 

Sure.

> Build two boxes, one MS and one Linux for example.

It's common knowledge that an adequately
trained/experienced MS admin can lock down a box as
much as an adequately trained/experienced Linux admin.
Setting up such boxes and launching the same attacks
against them shows what exactly?  The security
configuration of a single host has only a very little
to do with the overall information security posture of
the infrastructure.  Firewall and router ACLs,
NAT'ing, VLANs, network device configuration,
user/admin security awareness, locked server room
doors...these all play a part.  

The issue of susceptibility to malware (worms,
viruses, etc) isn't so much one of which products are
employed, but rather _how_ they are employed. 

__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com