Recently a wide variety of "computer security experts" seem to be crawling
out of the woodwork, espousing their opinions on computer and network
insecurity. In many cases they are spreading what has been come to be known
as FUD: Fear, Uncertainty and Doubt.
But what is often quoted as an "expert" is someone who is so incompetent
that he (or she) cannot even avoid being caught and thrown out of school
and/or arrested. And others actually recommend illegal "remedies" for
finding or solving computer security problems. That any business would use
these as "consultants" or "authoritative references" make one wonder if they
also hire convicted arsonists as fire martials or known burglars as guards.
While it is true that the ones who have exploited information systems
vulnerabilities in the past know where those specific vulnerabilities were,
they are NOT the only ones. Their method of becoming well known usually
involves getting caught by a marginally effective law enforcement worker, so
spectacularly violating the public trust that they are famous the same way
Hitler or Stalin was (this is a good thing????), becoming a well-known liar
(aka "social engineering" a'la Mitnick) or otherwise violating the trust
needed to perform the service so needed by companies today.
And just because someone is well known in one area does not mean that he, or
she, "has a clue" in any other arena. A "computer hacker" may know the ins
and outs of a particular program or information system and its
vulnerabilities but have no idea that there vital continuity of operations
considerations associated with business operations and they have usually
demonstrated an abysmal ignorance and/or disregard of any legal and ethical
implications. Would YOU want someone who has demonstrated a lack of
comprehension of the implications of what they are doing to have full access
to YOUR vital systems?
The REALLY good "hackers" will not be found out, will not be caught and
quite possibly will never be detected. These so-called experts bragging on
their past "accomplishments" are simply demonstrating their ineptitude by
their inability to avoid detection. Would YOU want someone who has
demonstrated incompetence to have full access to YOUR vital systems?
_______________________
The opinions expressed above are my own. The facts simply are and belong to
none.
James W. Meritt, CISSP, CISA
Senior Secure Systems Engineer at Wang Government Services, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
