Edward, I never said "security expert," someone with a degree in the field hardly qualifies as an expert.
I agree with what you're saying and as someone in the security field have bumped up against other individuals who are all about the process and not willing to apply any common sense to the situation, they have a program and a checklist and they need to go through it all so they can get home at 5pm. Compliance is a whole different game (and mostly pointless one at that IMHO) than what Stephan seems to be after. Don't lump all the people with experience in the security field as compliance monkeys. Ryan Peck On Sat, May 18, 2013 at 8:16 AM, Edward Ned Harvey (lopser) < [email protected]> wrote: > > From: [email protected] [mailto:[email protected]] > > On Behalf Of Ryan > > > > A whole mess of things to consider. If you have a person with a security > > related-degree or has done work like this bring them in. It is more > > complicated than just "running a scan". > > I unfortunately have a very low opinion of somebody being a "security > expert," brought in to do scans. For PCI compliance, one of my clients > needs to submit to a security company to periodically scan them. Until I > cam along, they had a PPTP vpn server which was actually insecure, with > weak encryption protocols, and everyone using a shared password based on > the company name. I threw it away and put up an IPsec vpn server instead, > which was actually secure. Then the security scanning folks started > triggering alerts for us - "You're using IPSec aggressive mode with PSK. > We don't know if you're using a strong key." So I wrote them a letter > explaining 256 bit random key selection, which cleared the alert but only > temporarily. We will need to resubmit that letter every 3 months in order > to keep the IPSec available. So I threw it out and build an SSL vpn. They > can scan and see our key strength automatically. Then they started > throwing a new alert, "Site certificate domain name mismatch," which is > false. We used a wildcard cert *.domain.com, where the vpn server is > vpn.domain.com. But their stupid script only knows our IP address, not > our dns name. I tried writing them a letter to say what our dns name is, > but they don't have any way of recording it. Their stupid script can only > know your IP address, and from it, must be able to autodetect your dns > name. They say this corresponds to intrusions that have been reported "in > the wild," which is pure for the sake of making the customer stop arguing > about it. Our choices are to either replace the wildcard cert with a > single-dns-name cert (so their script can autodetect our dns name) or get > the ISP to configure reverse dns. So, thanks to their security scan, I > opted to downgrade from the wildcard cert to a free cert with explicit dns > name. > > I see stuff like this all the time. They have dumb flags that trigger > alerts, and the process is about jumping through hoops, rather than > actually making intelligent security decisions. Oh - the PCI complaince > firm - they only bother scanning the external IP of our software > development center. Don't even bother scanning our production web-facing > servers. Very, very moronic and not representative of actual security. >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
