Re: [fw-wiz] concerning ~el8 / project mayhem

From: Dave Piscitello (
Date: 08/22/02

From: Dave Piscitello <>
To: Anton J Aylward CISSP <>
Date: Thu Aug 22 11:52:32 2002


I've helped a handful of very small businesses run by friends and church
associates. (Help is distinguished from consulting by the fee charged,
e.g., beer vs. money)

These are mostly Microsoft Windows shops. They are business people who have
DSL/EtherLoop access and I've installed SOHO firewalls for them.

Common properties:
- A/V is not on all computers, and virus definitions aren't up to date on
those that have A/V
- every WinOS setting is set at defaults
- no system is passworded
- no one has any idea whatsoever what a security/hot fix is, or why they'd
install a service pack

IMO this is not a good computing environment, and I encourage them to run
Microsoft's Baseline Security Analyzer and several simple and free
vulnerability assessment tools on their computers. Small business IT's like
training children to have good hygene early.

What's much more worrisome to me for such businesses is that they often
purchase some vertical application software (real estate, credit card
database, mortgage processing, medical) that runs on Linux, BSD, or SCO.

What's common on these machines:
- default *NIX configuration, dozens of services running, guest accounts, etc.
- the vendor insists that services like telnet/rcp, etc. be accessible
through the firewall so that they can service the machine. In some
instances, the application refers out to other servers.
- no one in the company can distinguish SCO from a scone...

Here's where I'd love to have Paul's "harden the server in 2 minutes"
vulnerability assessment and mediation skills.

Confession. I would not classify myself as an outstanding *NIX admin. I
make use of assessment tools on these and "sandbox" machines in my office
to hopefully raise my competency to a level that is at least the value of a
beer to my friends. Fortunately, I am often able to browbeat vendors into
using SSH over telnet, and I implement as stringent a firewall policy as
possible. So far, everyone's been able to stay off the radar.

We too often think of competency in terms of our own skill sets, enterprise
budgets (lame though they may be, they are worlds better than what
companies with annual earnings of six figures can afford), and (praise the
vendor) evaluation equipment.

At 10:09 PM 8/21/2002 -0400, Anton J Aylward CISSP wrote:
>On Wed, 2002-08-21 at 17:57, Dave Piscitello wrote:
> > Scanners raise the competency levels of individuals who aren't quite as
> > capable as Paul and others he and we might all identify as his equals.
>Interesting assertion. Could you explain it please.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926