Penetration Testing mailing list archives
Re: [PEN-TEST] More on the 'Testing a Rogue Site'
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Sun, 17 Sep 2000 15:14:06 -0700
http://www.nfr.net/products/nfrwear/flowchart.html Is really the crux of the problem. Conclusion.. Security is a process, not a product. Traditional preventive security products go a long way to securing computer networks, but they can never close the window of exposure. All existing networks are vulnerable to attack. Looking at the problem as one of risk management, detection and response are far more effective security tools than prevention can ever be. And Managed Security Monitoring is the most cost-effective way, as well as the most effective way, to reduce the risk of financial losses due to network attacks. I disagree with his conclusion, since introducing Managed Security Monitoring can introduce a lot more open ended issues than they solve. and the reduction of risk in financial losses can actually reverse itself if monitored by a MSP.. If each customer had its own monitoring console, yes this would work, but if you get more than 20 or 30 customer each having their own monitor. 1. the ops room get's mighty warm even with air conditioning. 2. this concept of one customer/one console does not scale especially if the customer has multiple sites, etc, etc. One really wants to provide their customers with a customized security roadmap in priority order based on the customer's business model. One wants to close potential security holes not open them up. One really wants to find out how much are they willing to spend to eliminate their pain. /m At 11:42 AM 9/16/00 +0000, H Carvey wrote:
> Here's an article written by Bruce Schneier > http://www.counterpane.com/window.html directly relating to that discussion > that I ran across today. I've read most of the article by now, but I think Bruce goes a long way toward pointing out what the focus of the article is in just the first few sentences. This is something that every security professional runs across, whether as a consultant or as an employee to a company...how best to 'sell' security. Of course, if you go into work on Monday and need to 'sell' security, you have to realize that you're not only trying to overcome simple lack of knowledge, but you're also battling against a mentality that's been put in place by the media. Excellent article...thanks for pointing it out. Carv
Current thread:
- Re: [PEN-TEST] More on the 'Testing a Rogue Site' Teicher, Mark (Sep 18)