[Techtalk] Security professionals/hobbyists -- Opinions?

[Raven Alder]

Heya --

Quoth Megan Golding (Sat, Aug 03, 2002 at 08:05:00AM -0700):
> According to a 1999 SANS survey[1] of about 1800 security experts,
> the top management error that leads to vulnerabilities in networks is
> the assignment of untrained people to security roles and providing
> neither training nor time.

	If they even bother to assign someone to the security role at
all.  There are all too many big companies that prefer the
head-in-the-sand ostrich approach.
 
>  * Do you think lack of training is really the
>    top explanation for weak security?

	Lack of caring, then lack of putting qualified people in the
right jobs.  That can be done by training folks, or by hiring already
skilled people.  But unless your employee is willing to put in a lot of
their own spare time into keeping current on security issues, you're
going to have to invest some of their time on learning about new
vulnerabilities and techniques for protecting against them.  I know
friends whose employers objected to them reading Bugtraq at work because
"it was a waste of valuable company time".  Fair enough if they were
chefs or something, but when you're a sysadmin that's information you
need to have. 

>  * If we think of "training" in the formal sense,
>    where one attends courses, which security 
>    certifications carry the most value? Least?

	CISSP seems to be the one that most people are asking for, but I
think the SANS GIAC is a lot more helpful and intensive.  (Not that I've
been myself, but I've seen the requirements for both certs.)  

>  * If we count "training" in the SANS survey 
>    as acquiring knowledge (regardless of the 
>    source), can you describe the optimal environment
>    for acquiring maximum knowledge -- how
>    many people are ther? What types of experience?

	It probably depends on the individual and how they learn best.
I learn well by reading, then doing.  So I read Stevens on protocols,
and then I fire up tcpdump to see what packets look like, etc.  I find
going to conferences valuable, both for the talks and for the informal
off-hour chatting.  And I'm a big fan of mailing lists.  [grin]

>  * Have any horror stories you're willing to share?
>    Network breakins because of some lack of 
>    knowledge on your or someone else's part?

	Heh.  Lots.  I do (among other things) incident response.  Most
of the incidents were caused by poor configuration or lack of updating.
I had a good number of sysadmin friends hit by the Lion worm -- that's a
prime example.  I had the IOS on one of the Cisco routers at an old job
replaced with an MP3 of Weird Al singing "It's all about the Pentiums,
baby".  Router wouldn't boot, I wonder why, oh my God.  That one was
caused by lack of turning off unnecessary services and patching (router
running exploitable web server).  My personal server has been rooted
twice, both times through a compromised user account (and from that
point, it's only a matter of time).  User stored their passwords on
their home boxes, home boxes got rooted, keystroke sniffer installed, oh
look, a free login to oneeyedcrow.net.  And there wasn't a whole lot I
could have done about that that I wasn't already doing.  "Don't give out
shell accounts until you're uber-paranoid" was the end solution there.

	Good luck with your article; let us know when it's out.  I'm
interested.

Cheers,
Raven
 
"Do you want to go?  Do you want to go to Vegas with us and eat up
 all the little script kiddies?  Yes you do!  Yes you do!"
  -- Rogue, to her cat Pyewacket just before DefCon