North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How to get better security people

  • From: E.B. Dreger
  • Date: Tue Mar 26 17:03:43 2002

> Date: Tue, 26 Mar 2002 12:56:39 -0500 (EST)
> From: batz <[email protected]>

(snip)


> Nimda and CodeRed were excellent indicators of how a good
> security policy can be a competetive edge during (increasingly common)
> global incidents. Hopefully we will see more security folks pressing
> this message, and more decision makes hearing it. 

Sun Tzu and Lao Tze in the 3967/3561 thread...

...anyone else read Demming or other TQM proponents?  Visible
numbers only syndrome is the problem with many people's attitudes
toward security...

I could name a local (Wichita) company that for the longest time
was running IIS4 + SP5, vulnerable to the iishack buffer overrun.
They stored their websites and company files on said machine.
The goons^H^H^H^H^Hconsultants who set it up gave a big "it's
secure because it's NT -- look, it asks for passwords" spiel that
management bought.

Even after one of their employees _demonstrated_ how an arbitrary
person could break in.  Response?  "We're not that big... nobody
would be that interested in us."  Warnings about random scans
fell on deaf ears.

Service patches were never applied.  When some suspicious
happenings left said server inoperable, they just installed
Win2000 and went on, not caring what had happened or why.

No, I was not the employee.  A friend of mine worked there before
getting fed up and quitting.

"If it works, it must be right," versus, "It doesn't truly work
unless it's right."  I find it amusing how the same people keep
who keep things under tight physical lock and key are so lax and
apathetic about electronic security.

As Demming said, "People who buy on price alone deserve to get
rooked."


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <[email protected]>
To: [email protected]
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <[email protected]>, or you are likely to be blocked.