Security Basics mailing list archives
Re: Would you bet your life on your security?
From: simon <simon () snosoft com>
Date: Sun, 05 Oct 2003 15:30:58 -0400
Dave,Prior to testing we define what we would consider to be a real vulnerability. For example, information leaks that leak critical system information that could lead to a compromise would be a threat/warning. Information leaks that leak information about the system time would not be considered a vulnerability, but rather a notice.
There are four stages, the later three are considered vulnerabilities: 1-) Notice 2-) Warning 3-) Threat 4-) CriticalIf anyone wants more information on the way we classify risks feel free to shoot me a message.
David Gillett wrote:
There's a truism to the effect that the only secure machine is unusable. So if this outfit has any competence at all they *will* find vulnerabilities in any useful network.The more critical question is, can they find vulnerabilities that the organization does not consider an acceptable riskassociated with being in business. Since different organizations have different tolerances for risk, this may be hard to guess up front -- I doubt they're willing to bet on THAT. David Gillett-----Original Message----- From: Eric Brown [mailto:ericbrow () ziplip com] Sent: October 1, 2003 19:04 To: simon; security-basics () securityfocus com Subject: Re: Would you bet your life on your security? Hello Simon,I'm pretty new to security, but this is discouraged by the ISECOM in their most current Open Source Security Testing Methodology Manual, p. 18, "2. The offering of free services for failure to penetrate or provide trophies from the target is forbidden." I wouldn't know this if I hadn't just read it though. Eric-----Original Message----- From: simon [mailto:simon () snosoft com] Sent: Wednesday, October 01, 2003, 4:18 PM To: security-basics () securityfocus com Subject: Would you bet your life on your security? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All,I'm not sure how many of you have had good securityaudits in therecent past so I thought I'd show you this. In summarySecure NetworkOperations, Inc. will do an external security audit of yournetwork forapprox $1000.00. If they don't find any vulnerabilities,then the auditis FREE and they send you a letter of validation. If they do find vulnerabilities, then they charge you and send you a formalreport thatdetails their finds and grades your network.Given some of the new laws that have been passed thisseems like apretty good service and a VERY cheap way to validate your companies security. Secure Network Operations also has a flawlesstrack record andhas the references to prove it.Why do I think this is a good idea? Well, the Californiaidentity theftlaw (Civil Code 1798.82),The new federal bankingregulations are tworeasons. They both make disclosure of a compromiseMANDITORY. You needto tell ALL of your clients, by law, that you have beencompromised andthat their identities may have been stolen.So anyway, I'll shut up. For those of you that areinterested check outthe link below. For those of you that arent, I'm justtrying to helppeople out so don't flame me or I'll /dev/null your mail. http://www.secnetops.com/pesa-form_html.html Their web site is: http://www.secnetops.com- -- Regards,-simon- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6 0kewAu0Xz4t6+F5Px6kfKc8= =9AWM -----END PGP SIGNATURE------------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------- To do is to be. -Socrates To be is to do. -Satre Do be do be do. -Sinatra -------------------------------------------------------------- ------------- -------------------------------------------------------------- ----------------------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Would you bet your life on your security? simon (Oct 01)
- Re: Would you bet your life on your security? Jimi Thompson (Oct 10)
- <Possible follow-ups>
- Re: Would you bet your life on your security? Eric Brown (Oct 02)
- RE: Would you bet your life on your security? David Gillett (Oct 02)
- Re: Would you bet your life on your security? simon (Oct 06)
- Re: Would you bet your life on your security? Ranjeet Shetye (Oct 02)
- Re: Would you bet your life on your security? simon (Oct 02)
- Re: Would you bet your life on your security? David Moisan (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 02)
- RE: Would you bet your life on your security? MacDougall, Shane (Oct 03)
- RE: Would you bet your life on your security? MacDougall, Shane (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 06)
- Re: Would you bet your life on your security? simon (Oct 06)
- RE: Would you bet your life on your security? David Gillett (Oct 06)