Do you even have your CISSP? -Adam
On Tue, 1 Mar 2005 12:53:05 -0500, John Paul Ashenfelter <[EMAIL PROTECTED]> wrote: > On Tue, 1 Mar 2005 16:24:58 -0000, Robertson-Ravo, Neil (RX) > <[EMAIL PROTECTED]> wrote: > > Agreed, that original statement reeks of idiocy itself. > > How many of your servers have open, externally accessible MS-SQL > ports? Maybe you should go open your MS-SQL box to the world because > you certainly wouldn't be an idiot to keep it open, right? > > Ignoring *fundamental* security issues is at best, negligent. Ignoring > know, common, dangerous, documented, publicized security issues seems > to me to count as "idiotic" but you can call it "poor practice", > "negligent", "a mistake" or some other less offensive word if you need > to. > > > From: Dave Watts [mailto:[EMAIL PROTECTED] > > > As an aside, there are *plenty* of ways to scan for open SQL > > > Sever ports on your network to find those MSDE installs, so > > > I'll maintain that anyone with an unsecured SQL Server of any > > > type is, in fact, and idiot. > > > > That's all well and good, but many people using products which include MSDE > > aren't network administrators, and don't know about port scanning or any > > other things that network administrators might know about, and they > > shouldn't have to know those things. Not knowing things like this doesn't > > make one "and idiot". > > That's true, not "and idiot", but "an idiot" :) > > If they are putting a server on a naked Internet connection with an > external address, they certainly *should* be aware of basic security. > Even "normal" home users are aware of the need for firewall (and av) > software. A $40 dsl/cable/etc router contains a decent enough firewall > to protect a MS-SQL server behind it with no more work than plugging > it in and turning it on. > > Seriously, running any externally facing app without basic security > precautions makes you *not* an idiot? The level of even basic > security-awareness should be part of every developer's toolbox -- at > least any one worth hiring. And the excuse that "I didn't know MSDE > was part of the application" or "I'm not a sysadmin" is a pretty poor > one. How hard is the Microsoft Baseline Security Analyzer to use? How > hard is it to read the docs? > > Of course securing the port doesn't prevent weak passwords. Or the > possiblilty of SQL Injection attacks. Or any of a myriad other common > security weaknesses. > > The assumption that "I didn't know" is an acceptable excuse relating > to security, whether it's configuration (e.g. firewall settings) or > code (e.g. SQL injection vunerabilities) is a key reason why people > get cracked. And frankly, I care less about someone with poor security > getting hacked (something along the lines of "getting what you > deserve") than what their zombie server can do to my sites or one of > the sites I count on -- or about the consequences of the use/misuse of > my data they're storing. > > When a security issue can affect *me*, then I've got a stake in making > sure people do the right thing -- I think security is black and white > (you don't see a "Grey Hat" security conference...) Maybe there are > varying *degrees* of security idiocy, but all things considered, I'll > err on the side of spending the time/money/effort on security instead > of taking the risk of being a victim of the "security is too hard" > syndrome. > -- > John Paul Ashenfelter > CTO/Transitionpoint > (blog) http://www.ashenfelter.com > (email) [EMAIL PROTECTED] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196983 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54