At 01:31 PM 17/02/98 -0500, Mark Teicher wrote:
## Reply Start ##
>Anton,
>
>Certification does exist and I do agree with you that it counts for
>something, but not enough of the larger sized entities who engage in
>security audits actually send their people to the the CISSP program.
Very true.
>They are more interested in being billable than helping the customer.
Weve been down this road before. Lets stop flogging a dead
horse. The people that hire the Big N-1 are hiring them for the name,
not the results. Its and issue of showing to shareholders that they
have practiced "due diligence". Its like Santa Clause. Every one
knows it all a Big Lie, but everyone subscribed to it. Except the
irreligious people lie you and me.
>What I have been tyring to gauge of this thread, is
>a way to help educate those organizations of people who have established
>themselves as 'bonafide security experts' and in reality are not.
You're preaching on the one hand to the choir (people like myself)
and on the other to the apes and monkeys. They're not going to
be converted to the One True Faith, since it means that working for
the Big N-1 shows that they're hypocrites. Now there are a lot of
apostates who _used_ to work for the Big N-1 and saw the Error of
Their Ways, and have Sought Out The TRUTH. But they are another matter,
and they probably don't need certifying.
>I am very much interested in structuring a program/conference for not only
>experienced security auditors and wannabe security auditors to discuss
>different methods of security audits and such.
Right, good.
And in order to be recognized, the people who need to get certified
will need to have a major body which is recognized by all those
companies out there, one which will convince them that this is all
serious. And what do you want to bet that due to the inherent shape
of the Universe this will end up being one of the Big N-1. Or Micro$oft.
>The governing bodies then would certify or require people to be certified
>through these various agencies or establishments.
Right. That's what I just said.
Everyone will accept a certification if it comes from Ernst&Yong and
was drawn up by Micro$oft. Big corporations like the USgovernmint
will accept this gladly as proof of competence and relevance.
>Continual learning of systems, tools and proper business conduct is
>something that much needed in this CHAOTIC industry. If something is not
>proposed now, the situation can indeed become worse than it already is..
Here I disagree with you, and with others who have bombarded
me with mail.
The tools are just a means to an end. What is necessary
is to understand the fundamentals, the ohms laws and the
Maxwells equations.
Example: I audited a site last June. First thing I
noticed walking thru the front door was that the front
doors were not visible from reception. There were no
locks on the internal doors and the computer room had
no lock. The company had previously had equipment
stolen, and despite my report highlighting this,
no locks were installed until this year when an
ex-employee was found removing a major server.
The company still doesn't have a policy or
anything in their contract of employment about
information security and has repeatedly refused my
proposal to write policy, procedures and controls for them.
I tried to get the president to sign off on a one pager
saying "Security matters" - nogo.
Now tell me what use is a detailed knowledge of ISS or
the bugs in the NT stack in a situation like this?
>Anton, Let's fix the dike instead just sticking your fingers in the
>various holes. Cheers, btw, I am all out of fingers...
I would point out that the above scenario, which while dramatic
is far from rare and only slightly worse than 80% of what I
encounter, is a marvelous case of the fingers and the dyke.
This client wanted band aids (fingers) to stop the bleeding.
It all gets back to auditing the architecture. You look up the
biblical quotation; my ex still hasn't returned my bibles or Koran.
If the foundations are weak, if the architecture isn't sound, no
amount of Window(tm) dressing will make things right.
An ISS scan saying no vulnerabilities is just window dressing.
As I've pointed out, you or I could set up a machine which would
pass such a scan but still be CFM. And vice versa. See my
earlier postings to this thread.
And as Fred Cohen points out elsewhere, we're still battling people
who thing "security" means PRIVACY rather than INTEGRITY.
Sigh.
Yes, I advocate bette quality in the profession. But what I've seen
discussed so far about certification is playing right back into the
hands of the Big N-1 and the Big Vendors. As in
You can't possibly know how to audit one of our {routers,firewalls,
scanners,computers,hubs,pretzelbenders,onoffswitchs} unless you
know how to configure it and you can't possibly kow how to
configure it unless you've taken one of OUR courses at mucho $$
Right. Just like my (ex-E&Y) accountant friends can't set up a
COA (That's Chart of Accounts, not a Certificate of Authority in some
proprietary crypto system) on an accoutring package unless they've been
on the vendor's course..... and I can't drive an automatic GM because
I was trained on a standard Ford.... and so on.
Until we have something like the CISSP's Generally Accepted System
Security Principles underlying a certification, I'll keep yelling NO!
/anton
## Reply End ##
|
|
