Speaking from experience, security audits from the feds have been much deeper and uncomfortable than any big four (or however many there are today) accounting/risk firms. "Some" feds are true wizards and may be the same "black hat" irc buddy you are in awe of.
Script kiddies are called that for a reason. Anyone remotely experienced with IT Security better know Nessus and NMAP. Anyone selling "expertise" had better provide more than a report based solely on those two tools.
In terms of using a test environment, well that's a good thing. Running an unannounced cyber Pearl Harbor attack on the real grid is what some folks call reckless.
Regarding why are these systems on the net, well that may have something to do with commerce, deregulation, and the need to accomodate web based transactions without requiring a private T1 line that adds it's own concerns of risk, redundancy, and dependency.
Maybe that's the misinformation... perfect countermeasure to any blogsters "too close to the truth" posting. Even better, this is a nice "blogs are bad" meme to inject in as a side benefit.
...outsourcing, outside the country, so that the very information the spooks deem "sensitive" and "worthy" will first be massaged by third world employees who may very well be closer aligned with those fighting the U.S..
I concur that fear has been blasting our senses via the news, and by making the boogey man ephemeral and nebulous, any gauge of effectivenes (or lack thereof) is purely speculative.
By throwing in scenarios like the tapping of Christiane Amanpour, of CNN, one also opens up the ability of tapping Kerry advisor Christiane Amanpour. Democracy's key strength is diluting the demands of the mob through checks and balances, but given the compromises to Democracy to satisfy corporate and government interests that's a moot point as well.
Where's H.L. Mencken when you need him.
Given the recent Sony debacle regarding DRM software opening up garage doors that were used to hide malware/spyware/etc, how can you realisticly know which is which within the OS? How can you accomodate "good" spys without opening yourself up to "bad" ones? Isn't it best to default to no spy until proven otherwise?
Also, how about a boot disk a la Knoppix that one could use to identify and remove zombies/bots/etc easily without the need to reinstall?
But if you architect your environment such that network checks and host checks complement your policy, so you don't rely solely on one or the other sentry to do it's job, there's much less wiggle room for an exploit to work.
One example is not allowing IRC if you don't use it. Many worms and rootkits attempt to open up an IRC channel, so this layered approach would prevent the potential zombie from "reporting in" via the firewall, which is configured to block IRC ports. Likewise configuring hosts to only run what they need minimizes exposure from a network breach.
It's like securing a "real life" event by knowing who "should" be there, not trying to remember who "shouldn't" be there. That creates a smaller set to focus on.
I'm not saying it's simple, just easier.
So don't get immersed in cataloging all the things in the wild, that burns too many cycles and changes everyday. Just catalog that which needs to be done. Once you understand what needs to run, and how, and with who, etc. configure your systems and networks to accomodate those needs, and only those needs.
Apply all rules such that you permit what you need to, and default to drop.
It makes the world much smaller and less scary, and much easier to manage.
This is a condensed version of Markus Ranum's "Six Dumbest Ideas In Computer Security" (google it) that did wonders for my ability to more effectively resource those limited resources.
A good friend of mine, CCIE, network genius type, had his home network locked down tight. He did all the right things, kept his passwords to himself, not even sharing them with his wife.
Then he died.
Getting back into that thing was a chore.
Make sure you address disaster recovery, especially if you ARE the disaster.
Slashdot Mirror
So how much do they pay us if we watch the ads MORE than once?
Speaking from experience, security audits from the feds have been much deeper and uncomfortable than any big four (or however many there are today) accounting/risk firms. "Some" feds are true wizards and may be the same "black hat" irc buddy you are in awe of. Script kiddies are called that for a reason. Anyone remotely experienced with IT Security better know Nessus and NMAP. Anyone selling "expertise" had better provide more than a report based solely on those two tools. In terms of using a test environment, well that's a good thing. Running an unannounced cyber Pearl Harbor attack on the real grid is what some folks call reckless. Regarding why are these systems on the net, well that may have something to do with commerce, deregulation, and the need to accomodate web based transactions without requiring a private T1 line that adds it's own concerns of risk, redundancy, and dependency.
Maybe that's the misinformation... perfect countermeasure to any blogsters "too close to the truth" posting. Even better, this is a nice "blogs are bad" meme to inject in as a side benefit.
...outsourcing, outside the country, so that the very information the spooks deem "sensitive" and "worthy" will first be massaged by third world employees who may very well be closer aligned with those fighting the U.S.. I concur that fear has been blasting our senses via the news, and by making the boogey man ephemeral and nebulous, any gauge of effectivenes (or lack thereof) is purely speculative. By throwing in scenarios like the tapping of Christiane Amanpour, of CNN, one also opens up the ability of tapping Kerry advisor Christiane Amanpour. Democracy's key strength is diluting the demands of the mob through checks and balances, but given the compromises to Democracy to satisfy corporate and government interests that's a moot point as well. Where's H.L. Mencken when you need him.
Given the recent Sony debacle regarding DRM software opening up garage doors that were used to hide malware/spyware/etc, how can you realisticly know which is which within the OS? How can you accomodate "good" spys without opening yourself up to "bad" ones? Isn't it best to default to no spy until proven otherwise? Also, how about a boot disk a la Knoppix that one could use to identify and remove zombies/bots/etc easily without the need to reinstall?
But if you architect your environment such that network checks and host checks complement your policy, so you don't rely solely on one or the other sentry to do it's job, there's much less wiggle room for an exploit to work. One example is not allowing IRC if you don't use it. Many worms and rootkits attempt to open up an IRC channel, so this layered approach would prevent the potential zombie from "reporting in" via the firewall, which is configured to block IRC ports. Likewise configuring hosts to only run what they need minimizes exposure from a network breach. It's like securing a "real life" event by knowing who "should" be there, not trying to remember who "shouldn't" be there. That creates a smaller set to focus on. I'm not saying it's simple, just easier.
So don't get immersed in cataloging all the things in the wild, that burns too many cycles and changes everyday. Just catalog that which needs to be done. Once you understand what needs to run, and how, and with who, etc. configure your systems and networks to accomodate those needs, and only those needs. Apply all rules such that you permit what you need to, and default to drop. It makes the world much smaller and less scary, and much easier to manage. This is a condensed version of Markus Ranum's "Six Dumbest Ideas In Computer Security" (google it) that did wonders for my ability to more effectively resource those limited resources.
A good friend of mine, CCIE, network genius type, had his home network locked down tight. He did all the right things, kept his passwords to himself, not even sharing them with his wife. Then he died. Getting back into that thing was a chore. Make sure you address disaster recovery, especially if you ARE the disaster.