Re: Gartner's Security 3.0

["M.B.Jr." <marcio.barbado () gmail com>]

Dear Guilaume Vissian,

On 10/19/07, Guilaume Vissian <somebodyishere () gmail com> wrote:
> Hi,
>
> To follow with a french example... You were talking about network
> security, but there is more than that, in my mind the IT security
> audit has also to include environmental things such as : Management,
> Orgnisation, and people don't forget the mitnick example, this guy
> use social engineering a lot ! So the french government find an
> answer to that establishing the ISO 27001, but in my mind Social
> Engineering is not really yet, audited.

The ISO/IEC 27000 series are pretty complete; it also covers some
human nature's weak points as it infers a PDCA approach to corporative
infosec.
Our market's scene, as it is, leads to services more than products,
which is good for network audit professionals.

> Otherwise, discussing about economy there is on the market one or two
> products which will audit a network and following the information
> given, will show you the amount of money that you may loose if a part
> of the network or a single server fall... A such product may answer
> your problem. I can't remember the name of the product but I remember
> that they are expensive, now it is also your choice.... if you want
> to use less money for your cofee and more for your security or
> not... ;0)
> Finally it is true, that presently the full audit (I mean Economy +
> Management + Network + .... ) are not purposed by companies as one
> audit but as multiple types of audit....
>
> Best regards
>
> Le 18 oct. 07 à 12:10, pkc_mls a écrit :
>
> > M.B.Jr. a écrit :
> > > Pentesters,
> > >
> > > Gartner's recently -- during its 2007 IT Security Summit -- released
> > > it's new corporative Information Security approach, named "Security
> > > 3.0".
> > > Basically, it suggests that 8 percent (and no less whatsoever than
> > > 5%)
> > > of the companies' IT budget be focused on security.
> > >
> > > It is something no doubt but personally I think it could be more,
> > > say 10%.
> > Hi,
> >
> > just a french example (please take some time before bashing).
> >
> > there was a huge fire in a bank in paris in the 90s, and after this
> > event all banks started to think about disaster recovery.
> >
> > for the security, as some other already answered, it depends on how
> > sensitive is the IT or the global management to security.
> >
> > if some friend already has an issue with security, or if they had a
> > phishing problem with lot of money involved, I think they'll
> > think more about security.
> >
> > for some companies, it's also part of their job to have the network
> > secured so they can sell their products (pills or medicine
> > for example).
> >
> > then, you can even invest 20, 30 % to security, if the goal is only
> > to put the latest firewall and never watch the log, perhaps
> > the investment doesn't matter.
> >
> > IMHO the hardest part is to maintain a good level of security
> > (everyone knows that as soon as you are connected to a network,
> > you cannot be a 100% secure) as your network is always modified.
> > > The thing is:
> > > how are you, as a pentester, feeling such, concerning your incomes?
> > >
> > >
> > > Yours faithfully,
> >
> >
> > ----------------------------------------------------------------------
> > --
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ----------------------------------------------------------------------
> > --
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


-- 
Marcio Barbado, Jr.
==============
==============

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------