Re: concerning ~el8 / project mayhem

[Dave Piscitello <dave () corecom com>]

Certainly.

I've helped a handful of very small businesses run by friends and church 
associates. (Help is distinguished from consulting by the fee charged, 
e.g., beer vs. money)

These are mostly Microsoft Windows shops. They are business people who have 
DSL/EtherLoop access and I've installed SOHO firewalls for them.

Common properties:
- A/V is not on all computers, and virus definitions aren't up to date on 
those that have  A/V
- every WinOS setting is set at defaults
- no system is passworded
- no one has any idea whatsoever what a security/hot fix is, or why they'd 
install a service pack


IMO this is not a good computing environment, and I encourage them to run 
Microsoft's Baseline Security Analyzer and several simple and free 
vulnerability assessment tools on their computers. Small business IT's like 
training children to have good hygene early.

What's much more worrisome to me for such businesses is that they often 
purchase some vertical application software (real estate, credit card 
database, mortgage processing, medical) that runs on Linux, BSD, or SCO.

What's common on these machines:
- default *NIX configuration, dozens of services running, guest accounts, etc.
- the vendor insists that services like telnet/rcp, etc. be accessible 
through the firewall so that they can service the machine. In some 
instances, the application refers out to other servers.
- no one in the company can distinguish SCO from a scone...

Here's where I'd love to have Paul's "harden the server in 2 minutes" 
vulnerability assessment and mediation skills.

Confession. I would not classify myself as an outstanding *NIX admin. I 
make use of assessment tools on these and "sandbox" machines in my office 
to hopefully raise my competency to a level that is at least the value of a 
beer to my friends. Fortunately, I am often able to browbeat vendors into 
using SSH over telnet, and I implement as stringent a firewall policy as 
possible. So far, everyone's been able to stay off the radar.

We too often think of competency in terms of our own skill sets, enterprise 
budgets (lame though they may be, they are worlds better than what 
companies with annual earnings of six figures can afford), and (praise the 
vendor) evaluation equipment.

At 10:09 PM 8/21/2002 -0400, Anton J Aylward CISSP wrote:
> On Wed, 2002-08-21 at 17:57, Dave Piscitello wrote:
> > Scanners raise the competency levels of individuals who aren't quite as
> > capable as Paul and others he and we might all identify as his equals.
>
> Interesting assertion.  Could you explain it please.
>
> /anton


David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards