[rescue] Do you remember when? Security software.....

Curtis H. Wilbar Jr. rescue at hawkmountain.net
Mon Aug 11 11:33:07 CDT 2003

Oh my god... how many of your employer's systems are "owned" ?

Or acting as spam reflectors ?

IRC bots ?

DDOS hosts ?


Your boss should be fired.

At least implement a filtering policy in the router if a firewall
is not going to be used....

Wow.... is working there stressfull ?

-- Curt

>From: "Michael A. Turner" <mturner at whro.org>
>To: "'The Rescue List'" <rescue at sunhelp.org>
>Subject: RE: [rescue] Do you remember when? Security software.....
>Date: Mon, 11 Aug 2003 12:20:41 -0400
>> I agree here on both counts.  You cannot do an efficient 
>> audit of your own policies and security.  That in and of 
>> itself would be a controls violation (not sure if you guys 
>> are public or not, so it might not be illegal but it's still 
>> not considered good practice.)  You can of course do your own 
>> work so that your outside auditors don't find much to report.
>	Actually I feel real sorry for the contractor if they do pick them
>up. I just heard the official reason my boss is looking into this again.
>First a little back story. Our network is a wasteland. The network was never
>planned, it grew. Sometimes it grew against it's own volition. Cases where
>the CEO came in and said that he had been at a meeting and that now we are
>going to host X or connect Y to the network cause it is good public
>	So we have no firewall, no dmz, no bastions. All of our servers sit
>on the internet with routable IP addresses and no one bothers to patch them
>very often. Our administrator password has not changed in three years. When
>I at least tried to implement a patching scheme my boss actively stopped me.
>He has gotten burned by patches in the past, his philosophy is if it ain't
>broke don't fix it. Our routers are all in the same state.
>	So the official reason is that he is looking for someone to pay a
>consultancy fee to every month and then ignore there advice. This is so that
>when the catastrophic break in happens he can point at them to shift blame
>from himself. This is a simple CYA move on his part and he has no intentions
>of following any recommendations that he is given. He stated this to us all
>in a meeting. I am not even reading between the lines here. He stated " I
>want them around to take the fall if anything happens."
>	As to public or not, we are a non-profit owned by the school
>districts. So public, as in public television and radio, has a different
>meaning here :-) .
>> Secondly, as Walter stated, just using these apps doesn't 
>> make you good or bad.  They are tools, used well they work 
>> well, used poorly they work poorly.  The final report and 
>> explanations would be the deciding factor.  I use these tools 
>> all the time during security audits for outside companies but 
>> the report outputs are never more than 10% or so of the final 
>> report.  Most security issues are not technical ones anyway, 
>> most are controls issues, and no software i know of can check 
>> for that.
>> /KRM
>	I just remember the Y2K consultants that were wandering around at
>one point. The guy that the place I worked at then hired could not even log
>onto the network. He just hit cancel on the machines when the login prompt
>came up (95/98 OS). He then could not understand why he could not reach
>network resources. I had to show him how to login and then he could not
>remember the login he was given. All he did was walk around to every PC and
>stick a disk into it. The disk ran and did all the checking for him. He then
>complied a report from this info and cashed his check. The amazing part if
>it took several months for him to do all this. total and complete rip-off.
>Michael A. Turner
>Systems Engineer WHRO
>michael.turner at whro.org
>rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

Curtis Wilbar
Hawk Mountain Networks
rescue at hawkmountain.net

My e-mail is protected against viruses and spam by MailGuardian
          Top notch protection at unbelievable prices

More information about the rescue mailing list