nanog mailing list archives
Re: bloomberg on supermicro: sky is falling
From: William Herrin <bill () herrin us>
Date: Wed, 10 Oct 2018 11:09:39 -0400
On Wed, Oct 10, 2018 at 10:22 AM Naslund, Steve <SNaslund () medline com> wrote:
Allowing an internal server with sensitive data out to "any" is a serious mistake and so basic that I would fire that contractor immediately (or better yet impose huge monetary penalties. As long as your security policy is defaulted to "deny all" outbound that should not be difficult to accomplish.
Hi Steve, I respectfully disagree. Deny-all-permit-by-exception incurs a substantial manpower cost both in terms of increasing the number of people needed to do the job and in terms of the reducing quality of the people willing to do the job: deny-all is a more painful environment to work in and most of us have other options. As with all security choices, that cost has to be balanced against the risk-cost of an incident which would otherwise have been contained by the deny-all rule. Indeed, the most commonplace security error is spending more resources securing something than the risk-cost of an incident. By voluntarily spending the money you've basically done the attacker's damage for them! Except with the most sensitive of data, an IDS which alerts security when an internal server generates unexpected traffic can establish risk-costs much lower than the direct and indirect costs of a deny-all rule. Thus rejecting the deny-all approach as part of a balanced and well conceived security plan is not inherently an error and does not necessarily recommend firing anyone. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- Re: CVV (was: Re: bloomberg on supermicro: sky is falling), (continued)
- Re: CVV (was: Re: bloomberg on supermicro: sky is falling) bzs (Oct 11)
- Re: CVV (was: Re: bloomberg on supermicro: sky is falling) Chris Adams (Oct 11)
- CVV (was: Re: bloomberg on supermicro: sky is falling) bzs (Oct 11)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Brian Kantor (Oct 10)
- Re: bloomberg on supermicro: sky is falling Suresh Ramasubramanian (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Suresh Ramasubramanian (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Brandon Butterworth (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- Re: bloomberg on supermicro: sky is falling Lee (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)