Re: [Full-Disclosure] RE: [Full-Disclosure]Open the doors to hell hire a hicker Full-disclosure Posts

[Jesse Valentin <jessevalentin () yahoo com>]

Hey there Jan,

 

First let me say that I understand what you’re trying to say here, but I don’t agree with the way you expressed it. You 
mention that the point of “hiring people who don’t know much” is to ensure that people are following “policy and 
procedure and comply with audit”.

 

You also mentioned that security methodologies can be maintained by “ordinary computer folk”.

 

I know that sometimes due to email... meanings can get misconstrued. Jan, maybe you were thinking one thing but it came 
out another way? 

 

Here is my point and tell me if you agree… first off and as we know security should be a lifecycle process and can be 
likened to an organic function in that it is always changing. You need to adjust your security measures to address ever 
changing threats. Consider a simple firewall rule base… sure you can set it up and forget about it, but chances are 
when the next exploit comes out that targets some authorized port, your current security stance becomes obsolete. An 
“ordinary computer person” is not going to have the skills to know how to research latest threats or how they need to 
adjust these security rules to provide the protection you need.

 

The same can be said of an Info Sec policy… this document needs to be revisited on a periodic basis to make sure that 
the rules it lays out are in accord with necessary security practices. If the person doesn’t know much in the way of 
security then this creates a liability for the company in which he is employed as the policy will not address needed 
areas. Imagine an engineer who doesn’t understand HIPAA requirements and allows people on his network to send out 
patient info in the clear. Sure.. this works from a networking and tech point of view, but from a security perspective 
it’s a total failure.

 

Security is another animal when you compare it with basic computer techs and engineers. Not that they are less talented…
 they just focus on a different discipline. The same way you wouldn’t send in a lawyer to do a triple bypass surgery, 
you can’t expect a computer tech or server admin to be able to address security needs if they haven’t been trained to 
do so.

 

Just some thoughts.

 

Jesse



On Mon, 18 Oct 2004 10:28:39 -0400, Clairmont, Jan M
wrote:
> Oh yeah and we can trust you bozos not to put in backdoors, sploits and other
> great modes of entry yeah right. 8->, Hire the burgler to secure your home,
> yeah right? Doh!

Just because J.Random Hacker starts out as an immature 17 year old
script kiddie breaking into random systems doesn't mean (assume he
avoids prison) he can't grow up to become a mature "security
professional" who knows how to follow a policy procedure, comply with
audit, and work a 9-to-5 job.

Scratch a thirty-something lead InfoSec consultant from any major
consulting firm (including the big four), and chances are you'll find
a "31337 Hax0r" from the 90's.

And this is excluding the obvious L0pht->@Stake->Symantec progression.
People mature over time, grow into a more "professional" attitude
without losing the inventiveness and insight that makes them
effective.


> Sheessh what a stupid idea?
>
> The whole point of hiring people who don't know much is that they follow
> a policy procedure and comply with audit, I have yet to see a H&ck3r follow any
> procedure. So how do you control anything such as policy etc, the wild west again?
> You hire professional security people to maintain control, not chaos, and find methodologies
> procedures and products that are the most effective, test, re-test, remediate, deploy and defend.
> And that can be maintained and operated by ordinary computer folk, who want to do an honest days
> work and collect their rightful pay, but maybe you never thought of that!

Sure, bean counters have their place too.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!