> You really want to put them out of > business? STOP USING THEIR PRODUCTS. How many > other ways can it be said? Amen. > It is not like there aren't alternatives out > there. There are other OSes (free & non), other > browsers, other free media players, other free > office suites, etc. I have StarOffice installed on a Win2K system. It works reasonably well, so far, and I've used it to edit Word and PPT docs that I've transferred from other machines. > But as consultants, > contractors, and vendors we are not pushing our > customers to make the change. > Time for a better solution. For the time being, can't we recommend to our clients such things such as ACLs and monitoring? How about developing, implementing, and following security policies and procedures? Of the few sites that I've seen that actually have such things, managers have done very little for holding admins responsible for actually following the procedures. Ex: Backup procedures clearly state that backups will be verified and stored in an off-site location. Management did little to provide an off-site location, so admins were taking copies home. When an incident occurred, they found out that the backups hadn't been verified... The point is this...if senior management is serious about security as a whole, they'd provide the necessary resources...adequate numbers of personnel, training, etc. Many times, a lot doesn't get done b/c the admin staff (a) is too busy w/ helpdesk ops, and (b) wouldn't really know what to do anyway (how many times have I asked data center folks for the IIS web logs and gotten back three files, all ending in .evt??). > If you are serious about this effort, then > education and proof are the keys to making it work. Sure. > Build two boxes, one MS and one Linux for example. It's common knowledge that an adequately trained/experienced MS admin can lock down a box as much as an adequately trained/experienced Linux admin. Setting up such boxes and launching the same attacks against them shows what exactly? The security configuration of a single host has only a very little to do with the overall information security posture of the infrastructure. Firewall and router ACLs, NAT'ing, VLANs, network device configuration, user/admin security awareness, locked server room doors...these all play a part. The issue of susceptibility to malware (worms, viruses, etc) isn't so much one of which products are employed, but rather _how_ they are employed. __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 07:43:07 PDT