"Ng, Kenneth (US)" wrote:
>
> I have had the worse case scenario happen to me. I hardened a server, and
> then the admin people went back in and changed so many things that what I
> did was a joke. It went something like this: ME: "what you did made the
> server insecure". THEM: "but you said you secured it". ME: "I did, I
> changed things that are like putting a lock on a door, what you did was not
> only unlocking the door, but removing the door and putting a signal flare
> next to the door to tell everyone its there." THEM: "So?" ME: "so now its
> not only not secure, but you are advertising that it is not secure". THEM:
> "but you said it was secure". ME: "when I left it it was secure". THEM:
> "but we never had problems before". ME: "you can try playing Russian
> roulette and pull the trigger twice and you may live. How many more times
> do you want to keep trying?". THEM: "but we need to do this to get our work
> done". ME: "then here is how you do it properly, I've already installed and
> configured the programs for you, you just need to use them". THEM: "I don't
> have the time to waste on your theoritical problems, I need to get real work
> done". And it goes on and on and on.
Well, I've been in that situation before and since my responsibilities
permitted it I spent some time exploiting the vulnerable system to show
and document the impact of not fixing the problems. When a business
person is handed sensitive business/customer data, database passwords,
server private keys, etc. it is suddenly a lot less theoretical and
action is taken to fix it. Doing these penetration tests has had the
single greatest impact in motivating system/network administrators and
business managers to allocate the necessary time and resources to
implement security policies and standards that hadn't been diligently
followed or in some cases had been completely ignored.
I know mjr doesn't agree with this approach but I feel much better once
the system is properly protected especially since I have also been a
customer using those services.
Now, patches have become part of standard builds and sysadmins are
keeping up to date with new issues. We publish and circulate high risk
issues and remedies with an expected compliance date (in some cases as
short as 24hrs). Then we start doing discovery on high risk systems.
If we can compromise them and the compliance date hasn't been met, it
gets escalated and the responsible parties get a red flag in the
production assurance score for the day. Every line of business and
support team is represented in the production assurance checkpoint
meetings so everybody across the entire corporation knows. Talk about
motivation to fix the problems.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
