Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] More on the 'Testing a Rogue Site'

From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Sun, 17 Sep 2000 15:14:06 -0700
http://www.nfr.net/products/nfrwear/flowchart.html

Is really the crux of the problem.


Conclusion..
Security is a process, not a product. Traditional preventive security
products go a long way to securing computer networks, but they can never
close the window of exposure. All existing networks are vulnerable to
attack. Looking at the problem as one of risk management, detection and
response are far more effective security tools than prevention can ever be.
And Managed
Security Monitoring is the most cost-effective way, as well as the most
effective way, to reduce the risk of financial losses due to network attacks.

I disagree with his conclusion, since introducing Managed Security
Monitoring can introduce a lot more open ended issues than they solve.  and
the reduction of risk in financial losses can actually reverse itself if
monitored by a MSP..  If each customer had its own monitoring console, yes
this would work, but if you get more than 20 or 30 customer each having
their own monitor.  1. the ops room get's mighty warm even with air
conditioning. 2. this concept of one customer/one console does not scale
especially if the customer has multiple sites, etc, etc.


One really wants to provide their customers with a customized security
roadmap in priority order based on the customer's business model.  One
wants to close potential security holes not open them up.

One really wants to find out how much are they willing to spend to
eliminate their pain.

/m

At 11:42 AM 9/16/00 +0000, H Carvey wrote:


> Here's an article written by Bruce Schneier
> http://www.counterpane.com/window.html  directly
relating to that discussion
> that I ran across today.

I've read most of the article by now, but I think
Bruce goes a long way toward pointing out what the
focus of the article is in just the first few
sentences.

This is something that every security professional
runs across, whether as a consultant or as an
employee to a company...how best to 'sell'
security.  Of course, if you go into work on
Monday and need to 'sell' security, you have to
realize that you're not only trying to overcome
simple lack of knowledge, but you're also battling
against a mentality that's been put in place by
the media.

Excellent article...thanks for pointing it out.

Carv
Previous By Date Next
Previous By Thread Next

Current thread: