Penetration Testing mailing list archives
Re: Government Compliance
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 16 Jun 2005 14:31:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 16 Jun 2005, Jay D. Dyson wrote:
--[PinePGP]--------------------------------------------------[begin]-- On Wed, 15 Jun 2005, Dave wrote:Ok, I have big problems with this. There are seperate and distinct requirements for maintaining password complexity, performing vuln scans, AND performing penetration testing. Any industry guideline or resource would never allow this "definition".It's said that the Giraffe was a Horse designed by committee. With that in mind, what you're seeing are security decisions made by committee as well. Sadly, a lot of agencies (government, corporate and alleged institutions of higher learning) have the same approach. Managerial politics and sales drones are more influential in policy decisions than the input of clued security people. That's why we have 99% of the messes we see today. As a consequence, rather than having said organizations do some serious legwork and construct a solution appropriate to IT requirements, the managerial types tend to simply buy the sizzle of a salesman and go with Brand X's COTS solution (sic). Similarly, Open Source solutions and methodologies (most of which are far superior to COTS in most every respect) are eschewed because "they cannot be trusted" and "they have no tech support." (Their reasons, not mine.) The solution? If you can find one, I'll put in a good word for you at the Norwegian Nobel Committee. My successes in this area have been limited to picking up the pieces after things go to hell and slowly cultivating opportunities in which I can influence, alter, or annihilate said policies. It ain't for the faint of heart.
In many cases it is even more complex. Remember security is a process of applying shims and fixes to a set of protocols that were not designed with security in mind, in other words it is a refurbishing or remodeling of something already in place, rather then building from the ground up something new. And when mgt of many orgs is informed that they really do need to build from the ground up to address properly their now functionally inadaquet design flaws, that they lack the infrastructure to accomplish many of their needs and goals they start to p00p their pants. And they'll sit in those p00ped pants a long long time avoiding this, as much as techs would with having to renumber 1500+ systems to accommodate NAT in their new env...
Security, while being a buzzword and ringing all sorts of alarm bells and clang-ons all over the place, makes folks reluctant to really push the resources and funds into takes to do it correctly. Everyone has the attitude that it should be something that slips in under the hood, quietly and has no null or newly complex effects upon how things have "always" been done. no one wants to face the real cost of doing things right, in actual funds, let alone resources and changing old habits. Thus to continual GAO bad report cards of various federal agencies, let alone those at the state and county gov levels.
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCscV5st+vzJSwZikRAkOrAJ0e/n1t84+7xYEJ45vjso3ylRc+MwCePi93 oN3Nmg5GyYmfpe4tz5qMDwo= =iqop -----END PGP SIGNATURE-----
Current thread:
- Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
- Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
- Re: Government Compliance Jeffrey Denton (Jun 16)
- RE: Government Compliance L. Walker (Jun 20)
- Re: Government Compliance Jeffrey Denton (Jun 16)