lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1078918328.4082.21.camel@adesk>
From: full-disclosure at illuminated.nl (Aschwin Wesselius)
Subject: [11:29:07 security.rc] RE: Where to start

On Wed, 2004-03-10 at 06:17, Aditya, ALD [Aditya Lalit Deshmukh] wrote:
> > 
> > Does a good security-officer have to know everything about every hole? I
> > myself don't think so, but where do people start?
> 
> security officer is more of a complience officer, he makes sure that all the users, admin and  other it staff stick to the policies created.
> 

I think this title is different in every company, just as system
adminstrator can also mean you have to do network adminstration. In The
Netherlands, where I live, job descriptions are growing pretty wild with
even more exotic titles while demanding hilarious combinations of skills
or certifications. But still they want young people with experience. Go
figure.

> > I want to learn more about security stuff, but I can't find the real
> > basics to build upon anywhere. When there are posts on lists they
> > presume that everybody has a certain knowledge level and are aware of
> > best practices. But is this true?
> 
> to start the basics some of the more experienced members of this list will point you out just the right sources but take all the advice with a grain of salt.
> 

I like to cross reference when I am in doubt of a subject or statement
from anybody. As soon as another source says something similar the doubt
decreases. Another one on this list stated to always test any findings
in your own environment and if different post the results back where
needed. This is off course the scientific approach.

> > Just because there are discussions, it seems that there is not one
> > overall and central way of keeping track of evolving issues. How do
> > people keep track easily with up to date best practices and not get
> > distracted by "old" advisory?
> 
> discussion is a good way to keep currunt and adapt your existing infrastructure for the latest threats
> 

Jep, I do understand that one. But how is it realistic, to fight against
current or most recent threats and letting gaps exists wich where
discovered last year? Some people just step in today, but are not
completely aware of good old school tricks wich might still be appliable
or even exploitable in his/her very own network? Then, yes you keep
track of "popular" exploits, but are vulnerable for things real veteran
crackers come up with.

There should be some checklist to go trough with some chronology so you
can check your network or just your system against it. Or do those tools
available nowadays it for you? I think you can't depend on just simple
thinking that the most recent version of your software is patched
against old threats........

Anybody with a good insightful thought?

(I was told this list is not appropiate for discussions like this...
where to go? besides SecurityFocus where I've submitted myself to)

Aschwin Wesselius


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ