Firewall Wizards mailing list archives

Re: Vulnerability Response (was: BGP TCP RST Attacks)

From: George Capehart <capegeo () opengroup org>
Date: Thu, 3 Jun 2004 09:35:46 -0400

On Wednesday 02 June 2004 01:58 pm, David Lang wrote:

On Wed, 2 Jun 2004, George Capehart wrote:

The cost of risk is very important.


Hear, hear!


unfortunantly this is much easier to say then to define, especially
when you have disagreements between departments over the liklyhood of
something beign exploited "Vendor BIDNAME says that their equpiment
that will span 5 networks is perfectly safe and can't possibly be
comprimised becouse they don't run an OS" from the folks who want to
install something vs the security departments view of the same
hardware "these are x86 based nodes plugged into every network with
an ethernet backplane between them, they are a very high risk"

let alone the more subtle issues of how expensive the risk is to open
one more port through a firewall.


I certainly agree that sometimes it is hard to quantify risk to two 
decimal places.  But not all risk assessment schemes require that.  
With respect to disagreements among departments over the likelihood of 
an exploit, that is non-problem.  If the organization's management 
style is to achieve consensus, lock 'em all in a room and don't let 
them out until they come to agreement.  If the organization's 
management style is by decree, decree it.  Bottom line:  either risk is 
managed or it's not.  A functioning risk management process has 
mechanisms it needs in place to ensure that risks are identified and 
managed.  If those mechanisms are not in place, the organization is not 
managing its risk . . .

Cheers,

/g
-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642 available on most public key servers

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea."  -- RFC 1925


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Vulnerability Response (was: BGP TCP RST Attacks) Frederick M Avolio (Jun 01)
- <Possible follow-ups>
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 01)
  - Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 02)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
    - Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
    - RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
    - RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
  - RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
    - RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
    - RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
    - RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)

(Thread continues...)