RE: Vulnerability Response (was: BGP TCP RST Attacks)

[Phil Burg <Phil.Burg () colesmyer com au>]

> From David Lang:

> unfortunantly this is much easier to say then to define, especially when 
> you have disagreements between departments over the liklyhood of something

> beign exploited "Vendor BIDNAME says that their equpiment that will span 5

> networks is perfectly safe and can't possibly be comprimised becouse they 
> don't run an OS" from the folks who want to install something vs the 
> security departments view of the same hardware "these are x86 based nodes 
> plugged into every network with an ethernet backplane between them, they 
> are a very high risk"

This part, IMNSHO, is a key part of your risk management policy / 
standard / whatever $YOUR_SITE calls it:  you need to clearly
define who evaluates security risks and how they do it, the intention
being to arrive at a situation wherein any suitably qualified person
(for some value of suitably qualified) can pick up your RM documentation
and produce a very similar assessment of the risk as any other suitably
qualified person would produce.  And of course it needs to be auditable.

Selling this to management at $YOUR_SITE is left as an exercise to the
reader...

Phil
--
Phil Burg
Senior Security Adviser
IT S&A Security and Governance
Coles Myer Ltd
(03) 9483 7165 / 0409 028 411

Attachment: InterScan_Disclaimer.txt
Description: