Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Commercial pressure as a threat to security

From: Valdis.Kletnieks () vt edu
Date: Tue, 06 Dec 2005 16:31:25 -0500
On Tue, 06 Dec 2005 07:55:55 PST, Daniel Sichel said:


Anyhow, Jason summed this up elegantly and succinctly. Is anybody
addressing this problem with cheap software a small business can afford,
even to test just the basics?


Plenty of people.  Lots of people.  Probably 80% or more of the people making
an actual living at the white hat side of security, in fact.

But if I were to actually *mention* anything that sounded like "unclued people
who just know how to do a basic pen test and can't 1337-hax0r a box by hand",
I'd start another flame-fest. ;)

No, those people won't save you from getting pwned by a uber-leet ninja hacker,
because they'll only test all the obvious simple stuff.  On the other hand, it's
even more embarrassing to get pwned by a script kiddie using a 3 year old exploit
because you didn't even check the obvious simple stuff.

And there's a lot more script kiddies out there than uber-leet ninja hackers,
and the uber-leet ninja hackers are probably busy elsewhere.

Yes, it's a business decision:  You can spend $500 doing enough security to
stop 98% of the potential attackers, or spend gazillions to stop them *all*.
At some point, you have to decide "We've probably made it hard enough to attack
that the script kiddies can't get in, and the ninjas will hopefully go elsewhere
with a better effort/payback ratio".

And then be prepared to be wrong, just like you hopefully prepared to be wrong
regarding your defenses against earthquakes, floods, and other unlikely to happen
things...

I haven't looked at the CISSP, but I bet this concept of business trade-offs
is one of the things a CISSP is supposed to understand.  It certainly isn't
something I've seen much signs of understanding from the crowd that's proud
they don't have a CISSP.

And if nothing else, even if your security needs say you should bring in a
talented guy to really pound the net into submission, you should *STILL* hire
the clueless idiot, first - if for no other reason than it's better to be
paying the idiot $50/hour to find all the stupid-ass mistakes you made, than
paying the expert $250/hour to find all the stupid-ass mistakes, and then
another $250/ hour to do the more in-depth checking. ;)

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: