[CentOS] security compliance vs. old software versions

Tue Jul 6 20:02:39 UTC 2010

On 6/30/2010 8:54 PM, John Jasen wrote:
> m.roth at 5-cent.us wrote:
>    
>> John Jasen wrote:
>>      
>>> m.roth at 5-cent.us wrote:
>>>        
>>>> Frank Cox wrote:
>>>>          
>>>>> On Wed, 2010-06-30 at 15:14 -0400, m.roth at 5-cent.us wrote:
>>>>>            
>>>>>> Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
>>>>>> the printers, and left it off. This, of course, slows things down a lot,
>>>>>> but it's "Secure".
>>>>>>              
>> <snip>
>>      
>>> Forgive the minor nit, and hopefully not continuing the talking past
>>> each other, but modern printers have more computer resources than a
>>> smart phone, and the embedded OS is either equally as complex or an
>>> embedded braindead version of Windows.
>>>
>>> In other words, they are assets worth protecting.
>>>        
>> So, you're saying protection is more important than having them usable for
>> the folks whose use they were bought for? You're saying that we should
>> just get rid of them, and buy less capable printers that can't do as much?
>> Even when the only way to get to the existing printers is from a system
>> that's *inside* the firewall, and on our network? Hey, how 'bout I just
>> unplug them from the network altogether? They'll be doorstops, but they'll
>> be "secure".
>>      
> Well, I'm a security admin, so of course protection is more important
> than utility! :)
>
> But seriously, the assessment tools provide information on your
> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
> compliance notwithstanding ....) up to the people who end up reading
> them to fix the environment, determine that its not a problem, or accept
> the risk that was discovered.
>
>    
Sorry to drag this back out to the front... I've been beyond busy and 
just now catching up.

One of the things that is blaring to me in these 'security' scans is 
that there is no check of passwords. We can jump through every hoop in 
the world to provide a 'secure' environment, yet without 'verifying' 
with the client a quality password and password policy, this is simply a 
moot point. Yes, one would hope... but if they don't check this how do 
they know? I have had requests for password changes to the most ignorant 
and guessable things. We don't allow any of our users to set their 
passwords, but I do wonder about these supposedly 'secure' sites.

There are also no checks on the security of the server location. Who has 
access to the console?

I think this whole business is simply another ploy to cost everyone a 
lot of money... but the 'form' gets filled out. It is absurdity at its 
finest! On the most secure systems, they couldn't even run their 
reports. The companies doing these checks are simply lining their 
pockets with green.

John Hinton