Penetration Testing mailing list archives
Re: [PEN-TEST] Testing a "rogue site"
From: Wandering One <wanderingone () CORE COM>
Date: Wed, 13 Sep 2000 15:55:22 -0500
More and more, without security, companies can be (temporarily) 'made to not exist' - i.e. brought down, sometimes for an extended period of time if a sufficient hit is made. Business will *not* continue without data and communications. What's more inconvenient, a few 'extra' steps between users and tasks (i.e. logging procedures, periodic re-education, etc.) or the inability to perform those tasks at all? After all, we all got used to waiting in airports to get through the metal detectors. Corporate culture eventually will change to allow the 'inconvenience' of security procedures. Most people here I suspect feel way too busy to 'fight city hall', or work on inculcating a security mindset within a company that ranks security low on the totem pole. That doesn't mean that I think it isn't my job to educate those around me, just that I wouldn't want to work where I was fighting the current. :)
I wish to disagree with you slightly on this point, more as to the strength of it's use not the validity of the statement. It is the Board of Directors of the companies decision as to which risks to mitigate. If they feel the risk of a possible DOS (or related attack) is slim enough that they only wish to spend enough money to hire one person and maybe a decent firewall in this years budget, as long as they had the relevant data as to the risk and the results to the company should the risk be realized then it's their decision. Security, as much as those of us who have worked in the governmental as well as private sector may wish it, is not the be all end all. If your company has no data to protect and can do business without their computers for a day without losing their shirts, and the costs of such a loss may be less then the cost of the solution to protect them versus this loss then they are still in the positive. An example. Lets say I have a company that I am performing a Security Assessment for. During this assessment I realize that the company's critical assets are the telephone lines and a few critical computers that contain their HR data. The computers containing the HR data are behind a secure firewall with discretionary access control and the telephone lines have a fail-over that can be placed in place within a 2 hour window (A Business Continuity Plan of sorts in place for a major disaster covers this), do I necessarily need to recommend to this client that the internet connection that they have behind a weak firewall/proxy and the analog phone lines on every desk need to be hardened at the cost of N+$50,000 where N is the cost for the BCP plans implementation in the even of the failed phone services. I wouldn't be much of a consultant (at least a consultant with the eye on the fact that he is there for the benefit of his client not to line his own pockets) if I were to make any recommendation that would cost them more to implement then the damage that a possible realized risk could cause. I realize the above example is simplistic in the extreme and there is not a company out there that is that simple or even remotely close, but that is what we as security professionals need to be able to determine. Not always what is the best and coolest security tool on the market and/or pay top dollar for the big 5 security companies product just because their marketing staff is damn good at making graphs the management/Board of Directors can understand. There is a trade-off between having perfect security and perfect usability. Some companies need to be closer to the usability and others to the security, so long as the risk analysis backs up the reasoning behind that decision. Ensure that a knowledgeable group has prepared the risk analysis back it with Security Audits and Penetration Tests, and include that information in the Risk Analysis. Remember the ultimate goal is the continuity of the business, whether that be the latest and greatest security tool on the market (at least what the marketing people tell us is the greatest) or whether that is just a contingency plan for a risk that may possibly become realized. Just a few random thoughts from someone who works both in the Business Continuity and Security fields. Wandering One
Current thread:
- [PEN-TEST] Testing a "rogue site" Kelly, Mike (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Testing a "rogue site" Mitch James (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Rich Richenberg (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 12)
- Re: [PEN-TEST] Testing a "rogue site" Wandering One (Sep 13)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Meritt, Jim (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 13)