The internal security audits are a sham. Here are two examples: At Banks: "We must have a physical firewall to pass the audit." Then the audit is performed by a former CPA who doesn't even review the configuration on that firewall. You can have a firewall with a default-allow policy that passes. But if you have server-based firewalls (e.g., iptables) on EVERY server, then that doesn't count for anything.
Another example, done at some US government networks: We have to update all the software on any box that was originally installed as Linux...UNLESS it's an embedded Linux in a product. In the case of Linux-used-as-core-of-another-product, then the product basically gets a pass on security reviews. > On Dec 3, 2014, at 10:42 , Jan Schaumann <[email protected]> wrote: > > Hello, > > I'm currently exploring the intersection of #sysadmin / #infosec[1] a > bit. There is obvious overlap, yet at many companies the two camps also > frequently end up at loggerheads. I'd like to collect some feedback: > > What #infosec or (PCI) compliance mandates and rules drive you nuts? > What (seemingly or actually) pointless, braindead things are demanded of > you?[2] > > On the flip side, what are some of the security related concepts or > fundamentals that you think junior sysadmins are frequently lacking or > having trouble understanding?[3] > > Feel free to email me off-list, if you prefer. Alternatively, you can > also reply to the tweets referenced. > > Thanks in advance! > -Jan > > [1] https://twitter.com/jschauma/status/540153322670661632 > [2] https://twitter.com/jschauma/status/539626083583541249 > [3] https://twitter.com/jschauma/status/539918484663062529 > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
