[rescue] Do you remember when? Security software.....

Michael A. Turner mturner at whro.org
Mon Aug 11 11:20:41 CDT 2003 

> I agree here on both counts.  You cannot do an efficient 
> audit of your own policies and security.  That in and of 
> itself would be a controls violation (not sure if you guys 
> are public or not, so it might not be illegal but it's still 
> not considered good practice.)  You can of course do your own 
> work so that your outside auditors don't find much to report.
> 

	Actually I feel real sorry for the contractor if they do pick them
up. I just heard the official reason my boss is looking into this again.
First a little back story. Our network is a wasteland. The network was never
planned, it grew. Sometimes it grew against it's own volition. Cases where
the CEO came in and said that he had been at a meeting and that now we are
going to host X or connect Y to the network cause it is good public
relations.

	So we have no firewall, no dmz, no bastions. All of our servers sit
on the internet with routable IP addresses and no one bothers to patch them
very often. Our administrator password has not changed in three years. When
I at least tried to implement a patching scheme my boss actively stopped me.
He has gotten burned by patches in the past, his philosophy is if it ain't
broke don't fix it. Our routers are all in the same state.

	So the official reason is that he is looking for someone to pay a
consultancy fee to every month and then ignore there advice. This is so that
when the catastrophic break in happens he can point at them to shift blame
from himself. This is a simple CYA move on his part and he has no intentions
of following any recommendations that he is given. He stated this to us all
in a meeting. I am not even reading between the lines here. He stated " I
want them around to take the fall if anything happens."

	As to public or not, we are a non-profit owned by the school
districts. So public, as in public television and radio, has a different
meaning here :-) .

> Secondly, as Walter stated, just using these apps doesn't 
> make you good or bad.  They are tools, used well they work 
> well, used poorly they work poorly.  The final report and 
> explanations would be the deciding factor.  I use these tools 
> all the time during security audits for outside companies but 
> the report outputs are never more than 10% or so of the final 
> report.  Most security issues are not technical ones anyway, 
> most are controls issues, and no software i know of can check 
> for that.
> 
> /KRM

	I just remember the Y2K consultants that were wandering around at
one point. The guy that the place I worked at then hired could not even log
onto the network. He just hit cancel on the machines when the login prompt
came up (95/98 OS). He then could not understand why he could not reach
network resources. I had to show him how to login and then he could not
remember the login he was given. All he did was walk around to every PC and
stick a disk into it. The disk ran and did all the checking for him. He then
complied a report from this info and cashed his check. The amazing part if
it took several months for him to do all this. total and complete rip-off.

Michael A. Turner
Systems Engineer WHRO
michael.turner at whro.org
http://www.whro.org

More information about the rescue mailing list