* Eric Johnson sez:
: > I know a lot of sites featuring the latter, and the former is what
: > Jonas told...
:
: I keep a very close eye on the system and check the logs daily.
: I'm not running any special monitoring software.
:
: All I see are the usual attempts. Who knows how capable they
: are?
This is why good companies should have a Red Team of experts doing
penetration analysis and code reviews even if the company's focus does
not lie within the security field. I aggree that OpenBSD has its
advantages compared to Linux, but most of them can be found in the time
saved to migrate authentication to something stronger than crypt() or
general kernel code reviews.
I am still browsing new commits to the OpenBSD core code and I will
continue reading source code before I install - and again I aggree that
the standard Linux way of doing things (binaries instead of sources) may
cause more work, but this is nothing an OS is to blame for, this is
something that needs to be exercised by the owner.
My main reason for not using Windows is my reluctancy to bet the
properity of my company on a product I don't know. It's my
responsibility to put a green checkmark on something and I will not do
so unless I had my look (I will definitely overlook things, but I want
to keep these things to a minimum).
Security, as I said before, is a process. OpenBSD can be made a cracker
and kiddie-haven just by exercising gross negligence. Without proper
procedures and standards in place, without a staff of people capable of
thinking on their own, without someone willing to take ownership and
enforce the execution of standards, no system is secure.
Today we're facing three basic problems: "Experts in network security",
"Most secure products" and "Unbreakable Security". If you accept that
security is not a product, cannot be bought or sold, then you'll be able
to introduce security into your network. You can buy expertise, help or
simply pay someone with the right mindset to do security for you, but
never will the whee replacement of your NetBSD box with OpenBSD bring
you more security.
So called "Leaders in Network Security" keep sending me emails telling
me that my GnuPG signature is a dangerous file and - after mailing back
and forth, admit to being a 'Entrust Shop' (btw. am I the only one to
get maxon.ca's mails after I mention virus names or for my GPG sig?).
These people did not understand. For them, Security is a product (eSave)
not a process. Rather than replacing their broken MUAs with something
better suited and to educate their employees (I'd call these things
'deployment process' and 'awareness process') they rely on a product
(I'd call this ......). Products are somehow reflections of standards or
procedures, right, but they never make the whole picture.
PGP signature
