> In regards to a single, large entity sitting behind security technology, it
> would definitely be very interesting area to organize and spend large
> amount of $$ on similiar to Microsoft Certification program to assure some
> sort of standardization of security auditing..
Agreed however it is a market saturation thing. Every network needs some form of
network operating system, not every network needs a firewall or security audit.
While names like Sun, Novell and MS are common, giving them leverage to push their
training programs, there is no equal in the security world. Heck, I've had IS
Managers ask me who "Cisco" was (I know I've seen their name on 18 wheelers) and
did they make a reliable product. I can imagine the reaction to to a name like
> >see this as taking longer than typical engineering work as it is difficult to
> >identify immediate results.
> Yes, agreed, I think the security auditing industry is still in its infancy
> very similiar to the JAVA Programmer community.. :)
Except again, JAVA programming can produce immediate results (the program works or
it does not). The determination of whether a security audit "works" or not may be
far more fluid.
> I actually disagree, if you have well prepared statement of work, of the
> particular items you will conduct the security audit on.
So how does a client, who is probably not security savvy themselves if they are
bringing in an auditor, determine if a statement is "well prepared"? Comments like
"scan all servers for known vulnerabilities" go a long way towards generalizing
the process and diluting what will actually be done.
> A portion of a security audit should reveal some of the known breeches that a
> typical scan can reveal. If you at least a couple of known problems, you
> can at least assess some sort of level of risk to it.
But now you are looking at two things:
1) The auditor actually understands what they are doing
2) The client is already somewhat security savvy.
As for item 1, this was the reason you initially posted, was it not? <g>
As for item 2, while I am sure that you would have no problem identifying a good
from a bad audit, many clients are not in this boat. Typically, if the auditor
identifies a few problems (like missing passwords) the assumption is that it must
have been effective, even if they missed the management password on the Shiva
> For example, Running Crack against a system that has weak passwords. Crack
> reveals that the client's CEO uses the password Pre$ident on all systems
> he/she has access to.
Or are you suggesting perhaps an Operations Manager? Does their secretary know
their password as well? <EG>
Okay. So the auditor cracked a password. This can be done with many canned tools.
This really does not speak to the efficiency level of the auditor. You could
easily write a script to do this yourself, and let others actually do the work. It
does not mean they understand "security", just that they know how to run your
script and hand the client a report. In effect, the software becomes the actual
auditor, no the person behind it.
> Hopefully, two things can happen over time, 1. security auditors are
> properly trained by some experience folks before they are sent to customer
> sites and 2. That customers are more aware of what a security audit is.
I agree completely. Without both ends it will remain a black arts field of study
that will be plagued with shoddy workmanship. Not to say we are all clueless on
this, but them again I just saw a few more "unsubscribe" messages hit the list. ;)
Multiprotocol Network Design & Troubleshooting
Support the anti-spam movement: http://www.cauce.org/