'Re: Harsh Security audits? -reply'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Harsh Security audits? -reply
From:       "Greg Collins" <gcollins () dqisystems ! com>
Date:       1998-02-27 2:54:01
[Download RAW message or body]

I would agree with almost everything below. The problem we are facing is
that prior to the official audit we had advised the client to install a
firewall. He refused ...."we are being protected by our ISPs firewall" was
the reasoning. I was able to demonstrate that I could Telnet into the
network and that no firewall existed. But still no chance of a firewall
going in. Then, after that, we were asked to perform the audit. Did they
think we would not recommend with great emphasis the need for a firewall?
Anyway, I have made a proposal to come back in and clean up the most glaring
security problems. Then return an updated report reflected the new security
stance... before the next board meeting. I hope this will solve the problem.

Greg Collins
Data Quest Information Systems
voice -423-588-4757
fax - 423-945-3846
gcollins@dqisystems.com
"I have but one thing which cannot be taken from me, and that is my
integrity. It I must give up of my own will."
-----Original Message-----
From: Dave Whitlow <dwhitlow@wend.dircon.co.uk>
To: mht@clark.net <mht@clark.net>
Cc: Craig I. Hagan <hagan@cih.com>; Greg Collins <gcollins@dqisystems.com>;
firewalls@GreatCircle.COM <firewalls@GreatCircle.COM>
Date: Thursday, February 26, 1998 7:00 PM
Subject: Re: Harsh Security audits? -reply


>Please people,
>
>I see lots of talk about how to present *our* finding and how dumb these
>people are and how we should hit'em with the bare truth.  I think we're
>failing them if that's the stance we take.
>
>Let's take a step back and look at what we have:
>
>1) Their network security stinks.  Are they alone?  Hell no, it's pretty
>common.  Tell them that.
>
>2) The sysadmins who run it probably know it stinks too.  Trouble is,
>there are too few of them, doing too much, in too little time.  Basically,
>they need help.
>
>3) Someone commissioned an external review.  In my view they score a few
>points there.  Security doesn't earn them money and all too often is only
>important after it has failed. I suspect most of us know about the horse
>and the stable door.  However, they've got budget *and* used it to pay an
>outsider to tell them how bad it is, rather than that server upgrade they
>really needed. Sounds like they're asking for help.
>
>
>And ... what's the best help you can give them then?
>
>A "bad" report make everybody look bad.  If we make their people look bad
>the report is either going to be hidden (they don't want heads to roll) or
>will be used as political ammunition (they want heads to roll).  Does this
>really help them and earn your fee?
>
>In my experience most folk who are doing sysadmin jobs can do a reasonable
>job *if* they are given support.  Usually, they're ignored when it is
>going well, hassled because things are taking too long or used as a
>football when things break.  There is not enough focus on security -
>that's not what earns revenue for their business.
>
>
>So, the approach I'd suggest is:
>
>1) Don't hide the facts - that would be betraying your own integrity.  In
>any case, you'd lose credibility and who'd commission reports from you in
>future?  However, make the truth *useful* to the recipients.
>
>2) Make the guy who commissioned the report feel like a hero and help him
>understand the risks and give him a report which he can use to justify
>spending more money on security.
>
>3) Prioritise the problems and recommendations so they can see what will
>take them nearer to what you consider acceptable.  Like me, most security
>folk aren't paranoid - they *know* that they really are out to get you ;-)
>
>These people just need educating - that's your job.
>
>4) Show them tools that they can use to measure their security problems.
>I'm not saying this will make things more secure.  However, it'll make it
>easier for them to make the best us of their limited resources.
>
>A tool which provides metrics enables them to make it easy to draw pretty
>charts which can be used to show how the money spent on security is
>getting results.  I can feel the flames coming here but ... without
>measurements how can you manage?
>
>5) Show them how testing should be part of their deployment and admin
>cycles and how it can be used to gradually improve things.  Make
>yourselves available when they need ad hoc advice.  Call them to check how
>things are going.
>
>If you this, they'll be grateful and happy to pay your fee.  They'll have
>a report which helps them do their job better and ....  perhaps thay'll
>invite you back in 6 months :-)
>
>
>Cheers,
>
>Dave
>-------------------------------------------------------
>Dave Whitlow, Idsec Ltd, UK
>Mail: dwhitlow@idsec.co.uk
>Web:  http://www.idsec.co.uk

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic