It was Friday afternoon when he dropped by to visit, carrying the tool of his new trade: an open spreadsheet in his laptop, crammed with action items in every cell.
Now I may never be the life and soul of any party I attend, but I am sociable enough to be happy to see a friend again after has left my department to find "new and different challenges" elsewhere.
My pleasure at seeing him again, however, was sort-lived. "I want to talk to you," he said carefully, as though weighing his words, and selecting the ones least likely to cause me to spontaneouly combust, "about your server security check."
My first reaction was "Oh no - more work."
But then I kicked myself: He's a friend, and what's more, he himself was working with a team doing security checks less than a month ago . . . surely he will have some practical tool that simplifies my team's work and/or increases our skill. After all - he's gone and joined the Security Compliance team. What else would he do?
Things are never really what they seem to be.
"How sure can you be," he said, "that when your teammate puts a 'YES' in the checklist, they really checked and found the setting to be as required?"
"Uuuuhhhhh" I said, totally flabbergasted.
"It has happened before," he said, "that for whatever reason, a person could have indicated 'YES' when the answer should have been 'NO'. We would like to make it so that we (the security section) can verify the security checks".
Ok, I'm open to any resonable suggestions....
"Well," he said, "can you write a program that prints to a file all the security settings in your system?"
Me? Write a program?
"Then can you indicate in each line of that output file, which question in the security check that that line satisfies?"
Excuse me? You want me to produce an output dumb enough for a total idiot to check? But our auditor to date has never asked for a clearly marked file... in fact, he asked for a dump file, which you would need tools to decipher.
"fine then," he said, "can you get those tools, and produce that output for the auditor...."
But - but - dont you security guys know what tools are out there? Don't you know what the auditor uses? Because I dont!!
Bottom line - and this is the point of this entry/blog/rant - is that he wanted me to 'enhance' my report so someone with no knowledge could check it. He was not offering to train me or my team in better managing our machines. He was not bringing a tool that helped us do our security checks faster and more accurately. He just wanted someone to write a program (who the heck is going to keep it current, and make changes everytime something on the machines changes?) and then spend hours marking up the report so that someone ignorant of the system could compare it to the security checklist.
No. Sorry. It does not work that way. A program that can pull security settings from dozens of places is not possible. We are not master programmers, we dont maintain complex applications.
No. Sorry. I will not spend my already insufficient time poring over a WORD document to hilight which line satisfies section A.1.2.1.17, and which line satisfies section A.1.3.1.21.
Go Away - you are not bringing any value to me. You call ourself a security specialist, but your team refuses to develop or acquire any skill in security implementation on any platform. Managing security gaps by spreadsheet makes you only a Project Manager, and a bad one at that. Knowing intimately how the Security Process works makes you just a Process Architect, and a limited one at that.
Come back when you can teach me to secure a Websphere server. Or how to verify TFTP is not exploitable.
Come back when you can do what it says you can do on your business card.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment