lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 08 Jan 2012 20:08:14 +0000
From: Dave <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/01/2012 23:32, Valdis.Kletnieks@...edu wrote:
> On Sat, 07 Jan 2012 17:03:09 CST, Laurelai said:
>> Perhaps these companies should try to hire the kids owning them instead
>> of crying to the feds.
> 
> Most of the kids are skript kiddies, and don't really understand the *defense*
> end of the security business very well.  Sure, some may be better than skript
> kiddies, and may be *incredible* at finding a memory overlay or an SQL
> injection, but do they know how to *secure* against *everything*?
> 
> Does that kid know anything about "continuity of operations"? How to negotiate
> with network providers to guarantee diverse cable paths?  How to set up proper
> audit trails so they can figure out what happened after the fact? How to deal
> with physical security issues (how do you know the guy at the door works for
> Oracle, and who empties your trash?) How to deal with a subpoena or a "hold
> evidence" order?  How to secure systems against insider threats and
> embezzlement (still a big problem, even if hackers get more news time)? How to
> ensure proper backups get done (this can be very non-trivial if you have
> multiple petabytes of storage, and need to do point-in-time recoveries)? How to
> do all the other things involved in actually making a data processing facility
> *secure*?
> 
> For all the flak the CISSP gets, it's *still* worthwhile to wander over and
> take a quick peek at *all* the subject areas it covers (18 if I remember
> right), and then ask yourself "How much does the average kiddie know about all
> this?"
> 
> And there's another little problem:  If you had a store, and somebody robbed
> you at gunpoint, would you feel good about offering them a job because they
> obviously need the money?  Or would you tend to avoid that person as an
> employee, because they've already proven they don't want to follow the rules?
> And even if you're willing to give a felon another shot, what do you say to the
> other employees when they say "You hired WHO? That guy shot Fred in the knee,
> I'm outta here".
> 
> And why should your answer be any different just because the attack involved a
> computer rather than a 9mm?

CISSP is just the beginning of security skills... Far ranging but shallow.
I considered gaining a CISSP but it only proves that I can pass an exam.
Unfortunately many courses these days only teach one to pass the exam.

Professing to be an expert whilst comparing myself to the average user may well be true.
But in all honesty I am only as good as the scenarios I have encountered and understood.

I have been playing around with computers since I got a ZX spectrum, I know an awful lot about I.T., computers and IT security.
I progressed from from first line support to management during my career, Yet I still consider myself a noob when I read what some of what the
contributors to this list have to say. Thanks for the continuing education guys/gals.

I expect senility to kick in before I consider myself some kind of guru.
The problem lies with those who consider themselves a guru after passing an exam.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTwn3rrIvn8UFHWSmAQKGsAf+MPVU791YzsJ1G17o2PMMVpeTqmGU4rvE
4knmyHqAz2Llifqto4G7RBhV+sPQZkW4IoRNrI8v2+e9yRFQQixsyZRkTGFUEXyc
NgM+EFxH3kcoFv47HmW/Hj7K4WrYefJQm3gB8WLrLi3d96a1ZEsEW7gmSFfjNf+q
A+dZVxZV2FGAcPvn208L+NVmFutSLTzxrPENnZ4/86nwoEcFHLxnS+U/NM2vPsNP
QRjVE8NpkjaPvxC/VKTcObulhxgunIohDalVXTUg8Fy9+OEaC7KtbAr6GlSbkS0o
+sXxn/Se+OD7AYskFprtcET5qggbB6dl+GkFzf6zDV54FVh3C9Dk5w==
=Ah3g
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ