Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response



On Sat, 07 Jan 2012 17:03:09 CST, Laurelai said:
Perhaps these companies should try to hire the kids owning them instead
of crying to the feds.

Most of the kids are skript kiddies, and don't really understand the *defense*
end of the security business very well. Sure, some may be better than skript
kiddies, and may be *incredible* at finding a memory overlay or an SQL
injection, but do they know how to *secure* against *everything*?

Does that kid know anything about "continuity of operations"? How to negotiate
with network providers to guarantee diverse cable paths? How to set up proper
audit trails so they can figure out what happened after the fact? How to deal
with physical security issues (how do you know the guy at the door works for
Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
evidence" order? How to secure systems against insider threats and
embezzlement (still a big problem, even if hackers get more news time)? How to
ensure proper backups get done (this can be very non-trivial if you have
multiple petabytes of storage, and need to do point-in-time recoveries)? How to
do all the other things involved in actually making a data processing facility
*secure*?

For all the flak the CISSP gets, it's *still* worthwhile to wander over and
take a quick peek at *all* the subject areas it covers (18 if I remember
right), and then ask yourself "How much does the average kiddie know about all
this?"

And there's another little problem: If you had a store, and somebody robbed
you at gunpoint, would you feel good about offering them a job because they
obviously need the money? Or would you tend to avoid that person as an
employee, because they've already proven they don't want to follow the rules?
And even if you're willing to give a felon another shot, what do you say to the
other employees when they say "You hired WHO? That guy shot Fred in the knee,
I'm outta here".

And why should your answer be any different just because the attack involved a
computer rather than a 9mm?

Attachment: pgpS0rJuteJtY.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Fwd: Rate Stratfors Incident Response
    ... Most of the kids are skript kiddies, and don't really understand the *defense* ... end of the security business very well. ...
    (Full-Disclosure)
  • Re: The Snot Report....continued/new....
    ... 'desperate to start a family,' says a friend, but after the failure of her ... Regarding the issue of having kids but not having a husband (or the ... In a culture the markers are long established, ... Our kiddies wander aimlessly now for the most part.... ...
    (sci.research.careers)
  • Re: Geschaeftsidee
    ... Aussagen der Kiddies selber... ... Im Gegensatz zu den Eltern machen die ... Kids eher kein Geheimnis um ihr "Einkommen", ...
    (de.etc.beruf.selbstaendig)
  • Re: For the kids but good fun
    ... Well it probably was for kids back then too, but as we were kids then we ... It's just we were younger. ... kiddies of today find the weeping angels scary! ... And the totty has definitely returned. ...
    (uk.media.tv.sf.drwho)
  • Re: Paging Packer and WUN - Kempton Park
    ... Bag of small KitKats or similar for punters' kiddies. ... kids have AIDS these days. ...
    (uk.rec.motorcycles)