Okay, I have to admit it. I think that moving one's web server to port 81 can help prevent a majority of problems. Granted, what do I know? I've only managed hundreds of web servers, both Apache and IIS, without an intrusion. Of course, when I say, "move it to port 81", I know it will ONLY prevent most worms. No single action (short of pulling the plug) can completely secure a web server. A dedicated attacker (not often the thing that causes most of the wide-spread panic in the web server arena) can only be foiled by a comprehensive defense-in-depth strategy which encompasses secure administration, code audits, monitoring, IDS, active response, and intelligence. When someone talks about moving ports, it is only to foil most unintelligent agents. One should not, however, forget the user-oriented problems associated with changing to a non-standard port.

Now, I've met quite a few people without CISSPs who can't gargle spit without choking and turning blue. Does that mean that all non-CISSPs are worthless? Why does an under-experienced CISSP mean that the 'CISSP' is worthless? Give me his/her name, and we will police our own.

My CISSP is only worth what I make it. I work hard, I read, I study, I keep up with current events, and I look into R&D. I read books on working with management. I read books on application security. I have a lab with a wide variety of equipment and a wide-variety of software, I go to conferences and training sessions. I have a wife who is thinking of taking a hatchet to patch panel. All my CISSP bought me was a certification saying that I SHOULDN'T be useless when dealing with a wide range of security issues, from operational security to biometrics. The only thing that speaks volumes about my worth is my experience, my knowledge, and my intelligence.

If you think a certification can prove any of that (other than the minimum 3/4 years experience with supporting documentation that the CISSP requires), you are barking up the wrong tree. Don't look to certs to prove someone's worth. Look to certs to certify a minimum set of requirements, and to help out on the corporate resume when digging for business.

And, look to the CISSP to show that, on average, the professional has subscribed to a set of ethics that SHOULD be better than industry average. Don't expect an expert in all forms of security; expect someone who shouldn't be lost when dealing with firewalls, routers, buffer overflows, disaster recovery, biometrics, halon systems, and anything else dealing with information security.

Have a good one.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16951#16951