It's these kinds of audits that distract sysadmins from the security that actually makes things more secure. It drives a wedge between security people and the sysadmins.
Carolyn On Wed, Dec 3, 2014 at 10:59 AM, Mark R Lindsey <[email protected]> wrote: > The internal security audits are a sham. Here are two examples: > > At Banks: "We must have a physical firewall to pass the audit." Then the > audit is performed by a former CPA who doesn't even review the > configuration on that firewall. You can have a firewall with a > default-allow policy that passes. But if you have server-based firewalls > (e.g., iptables) on EVERY server, then that doesn't count for anything. > > Another example, done at some US government networks: We have to update > all the software on any box that was originally installed as Linux...UNLESS > it's an embedded Linux in a product. In the case of > Linux-used-as-core-of-another-product, then the product basically gets a > pass on security reviews. > > > > > On Dec 3, 2014, at 10:42 , Jan Schaumann <[email protected]> > wrote: > > > > Hello, > > > > I'm currently exploring the intersection of #sysadmin / #infosec[1] a > > bit. There is obvious overlap, yet at many companies the two camps also > > frequently end up at loggerheads. I'd like to collect some feedback: > > > > What #infosec or (PCI) compliance mandates and rules drive you nuts? > > What (seemingly or actually) pointless, braindead things are demanded of > > you?[2] > > > > On the flip side, what are some of the security related concepts or > > fundamentals that you think junior sysadmins are frequently lacking or > > having trouble understanding?[3] > > > > Feel free to email me off-list, if you prefer. Alternatively, you can > > also reply to the tweets referenced. > > > > Thanks in advance! > > -Jan > > > > [1] https://twitter.com/jschauma/status/540153322670661632 > > [2] https://twitter.com/jschauma/status/539626083583541249 > > [3] https://twitter.com/jschauma/status/539918484663062529 > > _______________________________________________ > > Discuss mailing list > > [email protected] > > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > > This list provided by the League of Professional System Administrators > > http://lopsa.org/ > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
