RE: Bank Audit Best practices
From: Frank Knobbe (frank_at_knobbe.us)
Date: 03/24/04
- Previous message: Frank Knobbe: "RE: Email Pen-testing"
- In reply to: Mike Shaw: "RE: Bank Audit Best practices"
- Next in thread: Roman Draconus
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Mike Shaw <mike@shawnuff.net> Date: Wed, 24 Mar 2004 02:05:39 -0600
On Tue, 2004-03-23 at 10:19, Mike Shaw wrote:
> * It's about *risk*management*. FI's don't understand many technical
> things, but they understand this. Thus, many consultants end up looking
> pretty silly to FI's when they can't tie technical benefit to risk reduction.
In addition, links owned by processors etc are typically excluded from
vulnerability studies, and sure as hell from pentests. But you can
inquire about copies of the processors assessment. There are few
technical solutions to the issues raised by linking via a router to a
processor. If that link can be segmented and firewalled, fine. If not,
then this is something that should be highlighted in a risk assessment.
A vulnerability assessment should clearly mark it as excluded -- it can
not make any assertions about it, regarding vulnerabilities or
otherwise.
It's a business decision. After all, it's a business partner, not a
business scumbag, that they link up with. They may talk with each other,
they may know something about their networks, they may work together,
they may strive for security together, they rise and fall together. And
I bet there are agreements and insurance policies that protect them from
each other :)
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Frank Knobbe: "RE: Email Pen-testing"
- In reply to: Mike Shaw: "RE: Bank Audit Best practices"
- Next in thread: Roman Draconus
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
