Re: [fw-wiz] VPN endpoints

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 08/30/04

  • Next message: Servie Platon: "[fw-wiz] About Port Forwarding, Apache and Firewall Rules - conclusion"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 31 Aug 2004 01:18:14 +0530
    
    

    On 30/08/04 14:20 -0400, MHawkins@TULLIB.COM wrote:
    > "I don't know of any insurance company that has formulae to estimate such
    > risks."
    >
    >
    > Actually, most large insurance underwriters have various techniques for
    > measuring risk. Some risk is measured by statistical methods, eg: out of X
    > number of homes, Y will burn down in N time duration at total payout of D
    > dollars.

    In this case, the data for such events is available.

    > Other risks are more difficult to measure and are therefore assessed using
    > arbitrary ratings methods.

    In the information security case, this is generally numbers pulled out
    of thin air. The major question that remians is:
    As a infosec professional, how do you evaluate the risk of an event
    happening, given that the real numbers of such events are not available.
     
    > The events that are more difficult to measure are almost always those that
    > are exceedingly rare. For example, thousands of skydivers make hundreds of
    > thousands of jumps every year and yet only 20 or less people die skydiving
    > (thus, on life insurance policies they don't ask you how many times you
    > intend to jump each but rather, yes no, do you jump?).
    >
    > Applying the same techniques to information security risk measurement has,
    > in my experience, led to some very interesting results. For example, I
    > contend that 90% of the money spent on information security is wasted on
    > comparitively low risk areas.
    >
    > I came to this conclusion by, for example, applying the possible "cost" of
    > having an average company website hacked vs. the "cost" of having a
    > disgruntled employee steal valuable information or damage business systems.
    > The likelihood of the former is far lower than the latter. And the "cost" of
    > the former is -usually- less than cost of the latter and yet so much money
    > is spend on IDS, -super- firewalls, etc etc. But the most cost and most
    > likely event is a disgruntled employee damaging systems or stealing valuable
    > information.
    >
    > Go figure.

    Most businesses take the case that employees need to be trusted to work
    well. Also, how do you stop an employeee with legitimate access from
    copying information? Sales people walk off with their contact databases.
    Also, it is usually easier to cover up the employee case.

    The cost of having a website broken into is not in terms of direct loss,
    but a *corporate image and PR loss*. The brand value is percieved to be
    extremely high and damage to that is low on the acceptablity scale.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Servie Platon: "[fw-wiz] About Port Forwarding, Apache and Firewall Rules - conclusion"

    Relevant Pages

    • Re: OT - ACORN "Pimp and Prostitute" video edited to present a false image
      ... for the scheme while the rest of us will suffer the burdens. ... company self-insured a portion with employee picking up the ... Removing pre-existing exemption removes normal risk assessment making ... get a tax credit for insurance for employees for FY 2010. ...
      (rec.bicycles.tech)
    • Re: OT - ACORN "Pimp and Prostitute" video edited to present a false image
      ... Many Americans will notice the difference of being able to get insurance. ... I set up a major medical plan, company self-insured a portion with employee picking up the first $500 per year. ... Removing pre-existing exemption removes normal risk assessment making the scheme "prepaid medical services" as opposed to "insurance". ...
      (rec.bicycles.tech)
    • Re: OT: NOT EVIL JUST WRONG
      ... Insurance against the wrong problem is ... If you disagree with teh analogy, ... Federal money ... A risk is perceived, and peopel choose how to respond. ...
      (sci.electronics.design)
    • Re: Socialism in SF
      ... "Moral hazard is the prospect that a party insulated from risk may ... are borne by the insurance company. ...
      (rec.arts.sf.written)
    • Re: Drawer
      ... get coverage. ... That depends on the Insurance company she applies for coverage with. ... Medicare was established and it just never happened. ... there should be a risk pool. ...
      (alt.smokers.cigars)