Re: RE: In defense of non standard ports

[Karl <karl.mueller () asolutions com>]

On Tue, Jan 24, 2006 at 03:28:37PM -0600, Behm, Jeffrey L. wrote:
> Overheard at the water cooler: "Well, company X allows this traffic, why
> don't we? They are much larger than us and probably understand security
> *much* better than we do. Since they think it's safe, shouldn't we think
> it's safe, too?"  I'm still looking for wording used to combat the
> cluelessness of such mindset in both our own companies, as well as
> companies that are creating situations that make us run web traffic on
> non-web ports.

When I hear this, I usually start with something along the lines of "and company X certainly has a legal department 
prepared to handle the litigation when a boxen inside their network is used to attack or probe a sensitive computer 
system."

While this may or may not be true, it usually gets enough attention from the original speaker that the LART follow-up 
is met with something other than a glassy-eyed stare.  That's when we get to talk about containment, detection, 
compartmentalization, individual responsibility, and all those other topics related to accepting the risk of a 
networked computer system.

Its not about *if* you're gonna get hacked.  Its about *when*, and what happens next.

YMMV, but this approach has worked for me.

-k
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards