Re: [ISN] A Tempting Offer for Russian Pair

From: InfoSec News (isnat_private)
Date: Wed May 21 2003 - 22:51:37 PDT

Next message: InfoSec News: "[ISN] Bug-Zapping, Microsoft Style"

Previous message: InfoSec News: "[ISN] "If We Run Out of Batteries, This War is Screwed.""
Maybe in reply to: InfoSec News: "[ISN] A Tempting Offer for Russian Pair"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Kurt Seifried <kurtat_private>

> Yes, sometimes it does cost an extra $1M to correctly install a
> network to be secure.  Sometimes installing a secure network requires
> expensive consultants and better hardware.  Sometimes making things
> secure takes longer and you miss some marketting opportunities.
>
> It's what you have to do if you want things to run properly.
> Complaining about being hacked and then having to pay extra to get
> security is like complaining about leaving your umbrella at home and
> being forced to buy one from an expensive store when a thunderstorm
> starts.  There's no point complaining about such things, you knew the
> risks, took a chance, and it didn't work out.

That is so true. My house only has wimply little deadbolts on the
front and back, and the windows are only made out of glass, and not
shatter resistent. Heck, I don't even have a security system.
Obviously after I get broken into and spend the money on a security
system we'll know how's fault it was, me the victim, right?

Where do we draw the line? I once tried to write a paper that would
cover a methodology to concretly measure the cost and risk of security
incidents, and thus provide a framework within which to create a
budgect for addressing these flaws. Most companies can't even measure
productivity properly, let alone the cost of a security incident (PR
value? downtime? etc.). And assessing the cost/benefit ratio of say
$10,000 of firewall vs.s. $10,000 of AV is pretty darn tricky
(especially as your IT changes all the time). Needless to say I gave
up after a few months.

> Usually when you take a chance on computer security it won't work
> out.

If you could give me a definition for "chance" for my servers I'd love
to know what it is (is running up to date software, firewalling and
some other additional means enough? Am I taking a chance by not
running SELinux? =).

Although in this specific case it sounds like the company, whose focus
was electronic monetary transactions online did screw up bigtime.

Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Bug-Zapping, Microsoft Style"
Previous message: InfoSec News: "[ISN] "If We Run Out of Batteries, This War is Screwed.""
Maybe in reply to: InfoSec News: "[ISN] A Tempting Offer for Russian Pair"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 22 2003 - 01:14:34 PDT