Re: death of the security community



You know what I think it is, I think it's because no one really wants
to be secure anymore, because they won't be able to play their 'yahoo
games' correctly. I've gone into small company's and told them how
they need to be secure, and mentioned to cut out all this garbage
downloading that I know is full of spyware and just waiting to fill
the rest of the hd with crap, and they just brush it off because 'it
won't happen to them, it never has'
..just my opinion

On 3/21/06, Craig Wright <cwright@xxxxxxxxxxxxx> wrote:

And the links now that I have looked are:
http://www.ranum.com/security/computer_security/audio/index.html

Regards
Craig


-----Original Message-----
From: Craig Wright
Sent: 22 March 2006 8:00
To: 'Bob Radvanovsky'; John Vill; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: death of the security community

Hi,
Answer time...
"Is there such a thing as a 'script kiddie security analyst'?"
Yes, the term script kiddie was formulated over a decade ago by Marcus
Ranum to describe the "Big 6" (at the time - Big 4 now) "security
consultants" how where doing scripted tests. A junior staff member would
do the work from a form created by the manager and hence leverage.

As bob put it - Google away - there is more than enough proof. I believe
it was also in the Blackhat 2000 keynote from Marcus. I am sure that
Marcus will have this on his site. This would be the "Script Kiddies
Suck" talk.

Re. "security assessment". The issue is with the wording. All
professional audit firms are covered in law at least in the "West" (and
I will not speak for more than the G8 and Australia) when the wording of
Audit is used.

It is true that the contract will worm around this. It will be an
"assessment", a "review" or a "agreed procedures process" etc. If you
want to have a real test, than it has to be wording using the correct
legal terms. Even than many times the work will be inadequate, but at
least there are consequences if the word audit is used. There is
liability for the audit firm if you can demonstrate a lack of due care
(i.e. scripted tests).

The test is are they willing to give an audit certificate? What is
contained in the audit certificate? Are they just stating BS or are they
stating they have tested the systems and controls?

So as to proof and agreement/disagreement, it first depends on what is
being done - and I will agree that there is a large "worm" factor here
where legal wording is designed to get past this point. I should start a
course on this - "Pulling apart security vendor contracts for fun and
profit" ;) Being form based contracts this is usually easy (I am biased
on this point as it is a part of what I do)

To change tack, it should also be noted that unless (and it is unlikely
to be the case) an assignment of IP (Intellectual Property) is
completed, than the IP is likely to reside with the consulting firm...

Regards
Craig

-----Original Message-----
From: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx]

Extracted...

So tell me (either you, or anyone else reading this on the discussion
forum)...is there such a thing as a 'script kiddie security analyst'?
By this, I am referring to the many (so-called) "security consultants"
from the large security/auditing consulting companies who simply run a
suite of programs that are pre-defined in their requirements and puke
out a large report that looks intimidating, charging tens of thousands
of dollars to state that they've done a "security assessment". I
*challenge* anyone who works in this realm of the industry who feels
otherwise -- BUT TO TAKE MY CHALLENGE ERQUIRES PROOF. If you disagree
with me, your mission is to provide something that disproves me "theory"
(the reason that I state "theory" in quotes is that I've been through 5
security [ahem] "assessments" from rather large, reputable consulting
firms, only to do the EXACT SAME BLOODY THING that I did before they did
theirs, and more importantly, have them charge between $50,000 and
$300,000 for an "assessment" -- I have proof, too) that larger security
consulting companies merely run the same set of suites of programs that
everyone can do (and does) "in-house".

Just because you know know to start the NMAP program does NOT constitute
that you know *how* to "run" NMAP and what it actually does. Too many
times, people have stated to me that they've run NMAP, but are unable to
tell me how they did their test, and why it was necessary.

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: death of the security community
    ... Well, not so much that they do not want to be secure, but rather that we ... situation where security professionals are seen to being crying wolf. ... the term script kiddie was formulated over a decade ago by Marcus ... wording of Audit is used. ...
    (Security-Basics)
  • RE: death of the security community
    ... the term script kiddie was formulated over a decade ago by Marcus ... Re. "security assessment". ... Audit is used. ... than the IP is likely to reside with the consulting firm... ...
    (Security-Basics)
  • RE: death of the security community
    ... "Is there such a thing as a 'script kiddie security analyst'?" ... the term script kiddie was formulated over a decade ago by Marcus ... Audit is used. ... than the IP is likely to reside with the consulting firm... ...
    (Security-Basics)
  • Re: Security Audit
    ... Subject: Security Audit ... money and that customers don't want more stringent card security methods. ... > manner that is useful and pertinent to the client. ... > as communicated by the consulting firm. ...
    (Pen-Test)
  • RE: syslog
    ... For the same kind of environment, I am using Computer Associates eTrust ... Audit integrated with Security command center for an easy event management ... and consolidation of logs + administration of all the Security ...
    (Security-Basics)