Re: [fw-wiz] iso 17799

• Previous message: InHisGrip: "[fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
• Maybe in reply to: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"
• Next in thread: Julian Gomez: "Re: [fw-wiz] iso 17799"
• Reply: Julian Gomez: "Re: [fw-wiz] iso 17799"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 21 Jul 2004 18:03:50 -0500 (EST)

> So what is wrong with a repository of information for those people to
> mine as needed? Too small a group? Not worth the effort? Hey if your
> issue is with big companies, lots of little ones exist on the net and
> they get hacked too.

Firstly I do not possess any certs, never had time to take them. Maybe I
should get, likely I won't as my time consists of work work work. Info
repositories have their pros and cons. Pros: They can serve as a base and
offer "some" information. Cons: a) How does that information provided
apply to your network when your network is likely to differ across the
board. b) Information overload. Most information repositories are bloated
as many companies have become (or a least tried to become) the "de-facto"
source of compsec. CERT, HERT, Bugtraq, f00b4r.org, and anyone else
willing to dump a site on the net.

From my perspective, if I were a CTO, CSO, or other nifty little acronymed
officer in a company in charge of hiring, I would shoot for the geek as
opposed to:

John Fooblah
MCSE, CCNP, CISSP, ABCD, EFGH
212-555-1212

It comes from my experience in the field that reading and memorizing a
book and passing an exam does not qualify everyone as being "in the know"
for any tailored cert. (CCNA, CCNP, CCIE for networking for example) Some
time ago I recall having a conversation with a friend in the compsec field
who worked at a Fortune500 really big company. According to my friend, his
company paid to have their employees take the cert exams and had those
taking the test memorize as much as they could to recreate the exams in
order for the next workers to pass them with ease. Big business in
certifications. Think about a company where the entire sysadmin/compsec
admin was certified to the tee. That would be the company a CTO, CEO, CFO
_INSERT_OTHER_TITLE_HERE would hire. "Wow they're all certified they must
know."

> Yes, the ideas work, like I said in the post, I've tried many of them.
> I'm not sure why you brought the $100,000 doo-dad into the picture in
> the first place. I assumed it was because you feel education won't help
> as people want to buy the magic bullet and move on.

Many ideas and plans will work, and many won't, many will work with
modifications to them. They're baseline ideas. How many ideas have you had
to tweak on your own, and how many will have to be re-tweaked when you see
something come up on Bugtraq next week?

> Yes, no kidding, we'd all like the magic bullet, now what's really in
> the bag?;) Seriously some people fall for marketing hype, some don't,
> some people just want to get through the day and some plan well in
> advance, people vary.

One of the factors I can recall when my title was "Security Product
Engineer" (go figure that title out) was, most of the products we used,
resold, etc., gave the client a sense of security. Not security in the
sense that this was the all in one answer, but the sense of security
knowing if the **** hit the fan, they had a number for support and didn't
have to rely on waiting for a reply an admin had to shoot off to
somewhere@somelist.foo or jump on irc #foobarhelp.

> There are some of us interested in doing a good job and we don't believe
> in magic bullets. We also think it is stupid to have ten people solve
> the same problem ten times. How about we try, the first guy solves it,
> the remaining 9 tweak his solution for their environment and we expend
> 5-8 times effort instead of 10 times effort?

Too many hands in the pot... However that saying goes. Again, I would rely
on the geek for a quick solution as the geek is the one who has to operate
the system at the end of the line. Geek meaning someone well versed all
around not just someone who wants to plunk down a couple of grand for a
network analyzer when tcpdump, snoop and others are available freely. How
well versed are your geeks ;)

> And people wonder if it isn't possible to come up with a 'standard'. I
> don't believe a true rigid standard will work, my network is different
> from Paul's and different from yours, my solution will be at least
> slightly different. HOWEVER, I do believe if I saw how you did it and
> how Paul did it, it MIGHT save me thinking time.

There can be no standard from my view, only an outline as you clearly
state things differ across the line and the services you run, and how you
run them will not be the same. What do you do with legacy that you cannot
recreate? You make do, work with what you have and if you're
inexperienced, then you get someone who knows, or you look for a
guideline. As someone in the field how many standards have been created,
modified, changed? What standard could anyone possibly propose on a
realistic level.

> <sigh> I guess I'm a do gooder ;). No seriously, it is vested self
> interest. We do OK, but the more of the others I can keep from being
> hacked the less I get pounded on. It IS possible that a virus/worm/#$%^@
> may attack my net before the vendor releases the patch or before I apply
> it.

Again, this is where your geek comes in. Do you have monitoring set up
correctly, efficiently? Whenever I'm on a machine I have this odd habit of
tail -f'ing and awk'ing logs to hell in order to pay attention to what is
going on in real-time. Of course this pertains to a specific machine, and
I still do it if that specific machine is running auditing software. Sure
you can keep a vigilant eye to what's going on on your network. Set up
your own programs along with what's available. Waiting for the patch fairy
isn't going to do much. Are you or your geeks experienced enough to know
what's what.

I would go on, but work calls. Besides, this entire thread seems to have
veered off course like the SS Minnow.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: InHisGrip: "[fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
• Maybe in reply to: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"
• Next in thread: Julian Gomez: "Re: [fw-wiz] iso 17799"
• Reply: Julian Gomez: "Re: [fw-wiz] iso 17799"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]