[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Harsh Security audits? -reply
From: "Greg Collins" <gcollins () dqisystems ! com>
Date: 1998-02-27 2:54:01
[Download RAW message or body]
I would agree with almost everything below. The problem we are facing is
that prior to the official audit we had advised the client to install a
firewall. He refused ...."we are being protected by our ISPs firewall" was
the reasoning. I was able to demonstrate that I could Telnet into the
network and that no firewall existed. But still no chance of a firewall
going in. Then, after that, we were asked to perform the audit. Did they
think we would not recommend with great emphasis the need for a firewall?
Anyway, I have made a proposal to come back in and clean up the most glaring
security problems. Then return an updated report reflected the new security
stance... before the next board meeting. I hope this will solve the problem.
Greg Collins
Data Quest Information Systems
voice -423-588-4757
fax - 423-945-3846
gcollins@dqisystems.com
"I have but one thing which cannot be taken from me, and that is my
integrity. It I must give up of my own will."
-----Original Message-----
From: Dave Whitlow <dwhitlow@wend.dircon.co.uk>
To: mht@clark.net <mht@clark.net>
Cc: Craig I. Hagan <hagan@cih.com>; Greg Collins <gcollins@dqisystems.com>;
firewalls@GreatCircle.COM <firewalls@GreatCircle.COM>
Date: Thursday, February 26, 1998 7:00 PM
Subject: Re: Harsh Security audits? -reply
>Please people,
>
>I see lots of talk about how to present *our* finding and how dumb these
>people are and how we should hit'em with the bare truth. I think we're
>failing them if that's the stance we take.
>
>Let's take a step back and look at what we have:
>
>1) Their network security stinks. Are they alone? Hell no, it's pretty
>common. Tell them that.
>
>2) The sysadmins who run it probably know it stinks too. Trouble is,
>there are too few of them, doing too much, in too little time. Basically,
>they need help.
>
>3) Someone commissioned an external review. In my view they score a few
>points there. Security doesn't earn them money and all too often is only
>important after it has failed. I suspect most of us know about the horse
>and the stable door. However, they've got budget *and* used it to pay an
>outsider to tell them how bad it is, rather than that server upgrade they
>really needed. Sounds like they're asking for help.
>
>
>And ... what's the best help you can give them then?
>
>A "bad" report make everybody look bad. If we make their people look bad
>the report is either going to be hidden (they don't want heads to roll) or
>will be used as political ammunition (they want heads to roll). Does this
>really help them and earn your fee?
>
>In my experience most folk who are doing sysadmin jobs can do a reasonable
>job *if* they are given support. Usually, they're ignored when it is
>going well, hassled because things are taking too long or used as a
>football when things break. There is not enough focus on security -
>that's not what earns revenue for their business.
>
>
>So, the approach I'd suggest is:
>
>1) Don't hide the facts - that would be betraying your own integrity. In
>any case, you'd lose credibility and who'd commission reports from you in
>future? However, make the truth *useful* to the recipients.
>
>2) Make the guy who commissioned the report feel like a hero and help him
>understand the risks and give him a report which he can use to justify
>spending more money on security.
>
>3) Prioritise the problems and recommendations so they can see what will
>take them nearer to what you consider acceptable. Like me, most security
>folk aren't paranoid - they *know* that they really are out to get you ;-)
>
>These people just need educating - that's your job.
>
>4) Show them tools that they can use to measure their security problems.
>I'm not saying this will make things more secure. However, it'll make it
>easier for them to make the best us of their limited resources.
>
>A tool which provides metrics enables them to make it easy to draw pretty
>charts which can be used to show how the money spent on security is
>getting results. I can feel the flames coming here but ... without
>measurements how can you manage?
>
>5) Show them how testing should be part of their deployment and admin
>cycles and how it can be used to gradually improve things. Make
>yourselves available when they need ad hoc advice. Call them to check how
>things are going.
>
>If you this, they'll be grateful and happy to pay your fee. They'll have
>a report which helps them do their job better and .... perhaps thay'll
>invite you back in 6 months :-)
>
>
>Cheers,
>
>Dave
>-------------------------------------------------------
>Dave Whitlow, Idsec Ltd, UK
>Mail: dwhitlow@idsec.co.uk
>Web: http://www.idsec.co.uk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic