[rescue] Do you remember when? Security software.....
Curtis H. Wilbar Jr.
rescue at hawkmountain.net
Mon Aug 11 11:33:07 CDT 2003
Oh my god... how many of your employer's systems are "owned" ?
Or acting as spam reflectors ?
IRC bots ?
DDOS hosts ?
Your boss should be fired.
At least implement a filtering policy in the router if a firewall
is not going to be used....
Wow.... is working there stressfull ?
>From: "Michael A. Turner" <mturner at whro.org>
>To: "'The Rescue List'" <rescue at sunhelp.org>
>Subject: RE: [rescue] Do you remember when? Security software.....
>Date: Mon, 11 Aug 2003 12:20:41 -0400
>> I agree here on both counts. You cannot do an efficient
>> audit of your own policies and security. That in and of
>> itself would be a controls violation (not sure if you guys
>> are public or not, so it might not be illegal but it's still
>> not considered good practice.) You can of course do your own
>> work so that your outside auditors don't find much to report.
> Actually I feel real sorry for the contractor if they do pick them
>up. I just heard the official reason my boss is looking into this again.
>First a little back story. Our network is a wasteland. The network was never
>planned, it grew. Sometimes it grew against it's own volition. Cases where
>the CEO came in and said that he had been at a meeting and that now we are
>going to host X or connect Y to the network cause it is good public
> So we have no firewall, no dmz, no bastions. All of our servers sit
>on the internet with routable IP addresses and no one bothers to patch them
>very often. Our administrator password has not changed in three years. When
>I at least tried to implement a patching scheme my boss actively stopped me.
>He has gotten burned by patches in the past, his philosophy is if it ain't
>broke don't fix it. Our routers are all in the same state.
> So the official reason is that he is looking for someone to pay a
>consultancy fee to every month and then ignore there advice. This is so that
>when the catastrophic break in happens he can point at them to shift blame
>from himself. This is a simple CYA move on his part and he has no intentions
>of following any recommendations that he is given. He stated this to us all
>in a meeting. I am not even reading between the lines here. He stated " I
>want them around to take the fall if anything happens."
> As to public or not, we are a non-profit owned by the school
>districts. So public, as in public television and radio, has a different
>meaning here :-) .
>> Secondly, as Walter stated, just using these apps doesn't
>> make you good or bad. They are tools, used well they work
>> well, used poorly they work poorly. The final report and
>> explanations would be the deciding factor. I use these tools
>> all the time during security audits for outside companies but
>> the report outputs are never more than 10% or so of the final
>> report. Most security issues are not technical ones anyway,
>> most are controls issues, and no software i know of can check
>> for that.
> I just remember the Y2K consultants that were wandering around at
>one point. The guy that the place I worked at then hired could not even log
>onto the network. He just hit cancel on the machines when the login prompt
>came up (95/98 OS). He then could not understand why he could not reach
>network resources. I had to show him how to login and then he could not
>remember the login he was given. All he did was walk around to every PC and
>stick a disk into it. The disk ran and did all the checking for him. He then
>complied a report from this info and cashed his check. The amazing part if
>it took several months for him to do all this. total and complete rip-off.
>Michael A. Turner
>Systems Engineer WHRO
>michael.turner at whro.org
>rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Hawk Mountain Networks
rescue at hawkmountain.net
My e-mail is protected against viruses and spam by MailGuardian
Top notch protection at unbelievable prices
More information about the rescue