Re: [PEN-TEST] Testing a "rogue site"

["Missy, E" <freehold () EROLS COM>]

"Karyn Pichnarczyk" wrote:
[snipped]
> But unless you go by
> the One and Only rule, you will not last long in the security trade:
>
> 1. Business Must Continue.
>
> If this rule is not followed, then it doesn't matter how good or bad
> the security posture is: the company just won't exist!
>
> Therefore, the Business Demands of the company must be met, AT ALL COSTS
> including, regretfully and occasionally, the cost of bad security.

More and more, without security, companies can be (temporarily) 'made to
not exist' - i.e. brought down, sometimes for an extended period of time
if a sufficient hit is made.  Business will *not* continue without data
and communications.  What's more inconvenient, a few 'extra' steps
between users and tasks (i.e. logging procedures, periodic re-education,
etc.) or the inability to perform those tasks at all?   After all, we
all got used to waiting in airports to get through the metal detectors.

Corporate culture eventually will change to allow the 'inconvenience' of
security procedures.  Most people here I suspect feel way too busy to
'fight city hall', or work on inculcating a security mindset within a
company that ranks security low on the totem pole.  That doesn't mean
that I think it isn't my job to educate those around me, just that I
wouldn't want to work where I was fighting the current.  :)