Rebuttle:
<snip>
Commenting on the thoroughness of ISS Reporting tool...
This month's Internet Computing Magazine (formerly ZD Internet Magazine)
page 31 Product Watch (Security Crackdown) discusses the new reporting
features off ISS utilizing the power of Crystal Reports.
In regards to a single, large entity sitting behind security technology, it
would definitely be very interesting area to organize and spend large
amount of $$ on similiar to Microsoft Certification program to assure some
sort of standardization of security auditing..
>I would expect this is the norm. There is no single, large and very public
>entity (i.e. MS, Novell, etc.) sitting behind security technology who is
>spending large $$ on marketing to get their point across. Also, I do not
think
>that any one security/firewall vendor has gobbled up enough market share
to be
>able to leverage their training programs.
>
>For example, you get the same thing in the LAN/WAN world. Sure Cisco and the
>like have training programs, but how many people working in this field have
>actually achieved this or any other related certification? Also, when it
comes
>to consulting, how many clients actually push back and state "I want to see
>applicable credentials for the Engineer that will be doing the work"? The
lack
>of this challenge is what allows the situation you describe to perpetuate
>itself.
Specifically, if a security audit is being conducted, the people doing the
work should be familiar with the client's environment before engaging, and
the proposal should state the objectives in a very clear and concise
statement of work. We are conducting a security audit of the following and
we will use blah, blah tools.
>
>Finally, I think there are some misconceptions by people outside the field
that
>an MS or Novell certification automagically makes you an expert in every
topic
>dealing with computers. After all, a firewall is just another piece of
software
>that runs on NT, right? <eg>
Agreed.
>
>
>> My question is who certifies them to ensure that the
>> following: 1. Actually under what they are auditing? 2. Can interpret the
>> results of an ISS/Ballista Scan and not just present the report 3. They
>> attended training at one of the various vendors to understand how to use
>> the tool.
>
>I see this as being a "time" issue. It is going to take time for
organizations
>to be able to identify the differences between a good and a bad security
audit.
>This will push back and force "security auditors" to seek out
certification. I
>see this as taking longer than typical engineering work as it is difficult to
>identify immediate results.
Yes, agreed, I think the security auditing industry is still in its infancy
very similiar to the JAVA Programmer community.. :)
>
>For example, if I show up at your site as a consultant to fix your down
server,
>you'll have a pretty good idea by the time I am done whether I have a clue or
>not (i.e. did I fix the server). With a security audit, the results are no so
>immediate. It may be months or years before a security breech is
attempted, or
>detected.
I actually disagree, if you have well prepared statement of work, of the
particular items you will conduct the security audit on. I do want to state
the following, a security audit team should always have written permission
to conduct a security audit before any work is started for any client. A
portion of a security audit should reveal some of the known breeches that a
typical scan can reveal. If you at least a couple of known problems, you
can at least assess some sort of level of risk to it.
For example, Running Crack against a system that has weak passwords. Crack
reveals that the client's CEO uses the password Pre$ident on all systems
he/she has access to. The risk assessment should be assigned that
passwords should be easily guessable, but also the risk should also be
correlated to a security policy to enforce it..
>
>
>> This situation concerned me since the customer was given the perception
>> that the people conducting the work were actually bonafide "Certified"
>> Security Auditors. Is this the common trend currently??
>
>I do not see this as any different than every company under the sun
claiming to
>be "business partners" with MS. It's simply marketing hype. Can a company
>certify their own "security auditors"? Absolutely. The question is, does it
>really mean anything? Don't get me wrong, I agree with your statements 100%.
>The issue is that until clients start insisting on having certified
auditors, I
>do not see this trend changing any time soon. This does not however mean
that a
>consulting company can not take it upon themselves to do it right. Just that
>there is less motivation to do it if it has not hit them in the old pocket
book
>yet.
Hopefully, two things can happen over time, 1. security auditors are
properly trained by some experience folks before they are sent to customer
sites and 2. That customers are more aware of what a security audit is.
Sincerely,
A concerned security/firewall type person
/mht
>
>Cheers,
>Chris
>--
>**************************************
>cbrenton @
sover .
net
>
>Multiprotocol Network Design & Troubleshooting
>http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
>
>Support the anti-spam movement: http://www.cauce.org/
>
>
>
Follow-Ups:
References:
|
|
