On Tue, Aug 13, 2002 at 04:41:31PM -0700, Steve Kirby wrote: > I am looking for case studies or statistics for > smaller companies/ lower threat companies. I frequently hear "we are a low-threat company, who would want to hack us?" as a reason to avoid spending money on security. I am obviously a bit biased, but I feel this is extremely false. Many attackers don't bother attacking specific hosts -- they set up a scanner to go scan _thousands_ of IP addresses for vulnerabilities they can easily exploit. Sometimes they restrict their searches to "interesting" netblocks, e.g., owned by cable-modem or dsl providers, or .edus, etc, and sometimes they pick stuff at random to go searching through. While nasa.gov will get more attackers than folks at random, praying that one isn't going to be hacked at all as long as nasa.gov continues to exist isn't the most useful approach. :) > Are there any papers that offer a compelling drive to spend money on > securty? The Honeynet project is probably a good start. They did nothing to advertise themselves to attackers; the IP block they were in was more or less usual, the services offered by the machines more or less usual, and they get impressive amounts of crack attempts. I believe they measured the lifespan of stock redhat systems in days, maybe hours. I'm certain that one of the major consultancy groups have papers describing how much it cost to clean up after code red, nimda, melissa, etc. (Gartner, I think it was, even recommended uninstalling IIS, so they would be a good one to check.) Or, at least, the media in general tends to have claims of $n billion dollars wasted each year due to these problems. Combine this with the oft-repeated statement that most security problems are _still_ insider jobs, and it makes me think that spending some time setting up security policies, and attempting to enforce them through access control mechanisms (and deter through audit mechanisms) would probably be useful. (If someone knows a reputable source for this claim, I'd appreicate it. I thought I found it at nipc once, but the last time I went hunting for it, I couldn't find anything remotely related.) If you are the adventurous sort, you could even setup a stock out-of-the- box install of common operating systems you use with applications you use, configured more-or-less like you intend to use them, and see how long they can sit on the internet before they get hacked. :) (SecurityFocus has a mail list devoted to honeypots that would provide a nice forum for further details.) As an off-the-cuff guess: your admin will probably spend at least a day rebuilding a single hacked machine and restoring data from the previous night's backups. Your other users will probably have reduced productivity during that day as a server is unavailable. Spending a whole day's salary for an admin and a reasonable chunk of a day's salary for employees who rely on those services in planned preventative maintainence can help avert spending that time and money on unplanned repair operations. Since there are a truly distressing number of vulnerabilities mentioned in the wide open public such as bugtraq, it would even make sense to spend this preventative maintainence periodically, rather than a single up-front cost. How periodically is going to be determined by budget and risk analysis; but I think this line of argument would suggest that it at least needs to be performed occasionally. (And yes, I am sorry I didn't just have an URL ready for you.. :) -- http://immunix.org/
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 01:35:44 PDT