Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Tempting Offer for Russian Pair

From: InfoSec News <isn () c4i org>
Date: Thu, 22 May 2003 00:51:37 -0500 (CDT)
Forwarded from: Kurt Seifried <kurt () seifried org>


Yes, sometimes it does cost an extra $1M to correctly install a
network to be secure.  Sometimes installing a secure network requires
expensive consultants and better hardware.  Sometimes making things
secure takes longer and you miss some marketting opportunities.

It's what you have to do if you want things to run properly.
Complaining about being hacked and then having to pay extra to get
security is like complaining about leaving your umbrella at home and
being forced to buy one from an expensive store when a thunderstorm
starts.  There's no point complaining about such things, you knew the
risks, took a chance, and it didn't work out.


That is so true. My house only has wimply little deadbolts on the
front and back, and the windows are only made out of glass, and not
shatter resistent. Heck, I don't even have a security system.
Obviously after I get broken into and spend the money on a security
system we'll know how's fault it was, me the victim, right?

Where do we draw the line? I once tried to write a paper that would
cover a methodology to concretly measure the cost and risk of security
incidents, and thus provide a framework within which to create a
budgect for addressing these flaws. Most companies can't even measure
productivity properly, let alone the cost of a security incident (PR
value? downtime? etc.). And assessing the cost/benefit ratio of say
$10,000 of firewall vs.s. $10,000 of AV is pretty darn tricky
(especially as your IT changes all the time). Needless to say I gave
up after a few months.


Usually when you take a chance on computer security it won't work
out.


If you could give me a definition for "chance" for my servers I'd love
to know what it is (is running up to date software, firewalling and
some other additional means enough? Am I taking a chance by not
running SELinux? =).

Although in this specific case it sounds like the company, whose focus
was electronic monetary transactions online did screw up bigtime.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: