Re: [Full-disclosure] Commercial pressure as a threat to security



On Tue, 06 Dec 2005 07:55:55 PST, Daniel Sichel said:

> Anyhow, Jason summed this up elegantly and succinctly. Is anybody
> addressing this problem with cheap software a small business can afford,
> even to test just the basics?

Plenty of people. Lots of people. Probably 80% or more of the people making
an actual living at the white hat side of security, in fact.

But if I were to actually *mention* anything that sounded like "unclued people
who just know how to do a basic pen test and can't 1337-hax0r a box by hand",
I'd start another flame-fest. ;)

No, those people won't save you from getting pwned by a uber-leet ninja hacker,
because they'll only test all the obvious simple stuff. On the other hand, it's
even more embarrassing to get pwned by a script kiddie using a 3 year old exploit
because you didn't even check the obvious simple stuff.

And there's a lot more script kiddies out there than uber-leet ninja hackers,
and the uber-leet ninja hackers are probably busy elsewhere.

Yes, it's a business decision: You can spend $500 doing enough security to
stop 98% of the potential attackers, or spend gazillions to stop them *all*.
At some point, you have to decide "We've probably made it hard enough to attack
that the script kiddies can't get in, and the ninjas will hopefully go elsewhere
with a better effort/payback ratio".

And then be prepared to be wrong, just like you hopefully prepared to be wrong
regarding your defenses against earthquakes, floods, and other unlikely to happen
things...

I haven't looked at the CISSP, but I bet this concept of business trade-offs
is one of the things a CISSP is supposed to understand. It certainly isn't
something I've seen much signs of understanding from the crowd that's proud
they don't have a CISSP.

And if nothing else, even if your security needs say you should bring in a
talented guy to really pound the net into submission, you should *STILL* hire
the clueless idiot, first - if for no other reason than it's better to be
paying the idiot $50/hour to find all the stupid-ass mistakes you made, than
paying the expert $250/hour to find all the stupid-ass mistakes, and then
another $250/ hour to do the more in-depth checking. ;)



Attachment:pgpZHg2tlcqqG.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/