FW: Small ISP/ASP security concerns
From: LMRebelo@montepiogeral.ptDate: 07/24/01
- Previous message: Kevin Brown: "RE: Small ISP/ASP security concerns"
- Maybe in reply to: Nicholas Janzen: "Small ISP/ASP security concerns"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <912E160A2D49D311823C00805FA6EA9CC61E34@wntalr20.alr2.montepio.com> From: LMRebelo@montepiogeral.pt To: security-basics@securityfocus.com Subject: FW: Small ISP/ASP security concerns Date: Tue, 24 Jul 2001 08:18:12 +0100
Hi,
I agree with Lucian.
One thing that management worries it's money (the only thing), if they
don't understand that the risk you are talking about can severly damage
their busines, they will never take that action (spend more money ? Why ?).
Learnig about "Risk Management" you wil be able to convense them what could
hapen if an atack happens, the impact to the image that their clients have
of them, and the impact to the busines. Another problem that we haven't talk
about is that, I think it is your obligation to be able to convence them of
that (it comes with the job).
Luis Montanha Rebelo
Information System Internal Auditor
> -----Original Message-----
> From: Lucian MATEESCU [SMTP:lucian@mit.ro]
> Sent: 23 07, 2001 08:29
> To: security-basics@securityfocus.com
> Subject: RE: Small ISP/ASP security concerns
>
> Dear Nicholas
>
> I think that is another issue that you have to consider.
>
> From business point of view, risk isn't bad and isn't good.
>
> In business you take risk as a way to grow. Some decision makers know
> very well what risk they expose their business, and others just don't
> care.
>
> I think that more appropriate to convince them that they should consider
> you opinion is to "talk their language".
>
> Please read some papers about "risk management" from the net or buy some
> books. It will be great for your career also. And then put on the paper
> how security issues affect their business. Is better than play "black
> hat/ white hat" game (which I believe is dangerous for your job also).
>
> Include in this paper "numbers" that they understand how a security
> business incident will affect their business in terms of :
> - Down time
> - Trade secrets / patents costs (proprietary software
> should be considered)
> - Unsatisfied customers - contract lost.
> Etc ...
>
> And what is in term of business costs related to improve security level(
> money/time and other business resources).
>
> I think that with this document your management team could take a
> decision.
> If you think then that is not a good management decision than maybe you
> should consider a career change.
>
> If you need some more information, please let me know.
>
>
> -----Original Message-----
> From: Oliver Rochford [mailto:webmaster@meridian-consulting.de]
> Sent: Thursday, July 19, 2001 1:13 AM
> To: security-basics@securityfocus.com
> Subject: Re: Small ISP/ASP security concerns
>
> My advice, although it is a very drastic measure, is to setup a mock
> hack.
> Get someone to actually demonstrate to the company how vulnarable they
> are,
> and let something get hit hard that is really important (without
> destroying
> anything permanently, obviously).
> The only way some people learn, is through feeling the consequences.
>
> Oliver Rochford
>
> Meridian Computer
> Grossestr.58
> 49565 Bramsche
> Tel:05461969696
> Fax:05461945372
> www.meridian-computer.de
> ----- Original Message -----
> From: Nicholas Janzen <nj@third-net.com>
> To: <security-basics@securityfocus.com>
> Sent: Wednesday, July 18, 2001 9:02 PM
> Subject: Small ISP/ASP security concerns
>
>
> > The company i work for is a small ISP/ASP.
> >
> > This company doesn't understand the risks associated with what they
> are
> > doing, they constantly come to me to open up their firewall, so the
> latest
> > conviences will work.
> >
> > I have often showed them how easy it is for hackers to come in and
> view
> > what data pases through, as well as how easy it is for me to 'break'
> into
> > these servers/desktops.
> >
> > I value security greatly, at a previous I had been involved in
> security to
> > a large degree.
> >
> > My question is, How can i convience these users that security is more
> than
> > just "a job for everyone else".
> >
> > Before i started working here they were foreced to get a security
> audit by
> > a 3rd party. They were able to lie their way around the questions and
> > therefore passing the audit. This was very bad, because now they have
> a
> > false sence of security.
> >
> > thanks for your help.
> >
> > ----------------------------------
> > | Nicholas Janzen |
> > | Third-Net.Com INC |
> > | Visit http://www.third-net.com |
> > | for more information about us |
> > ----------------------------------
> >
> >
- Previous message: Kevin Brown: "RE: Small ISP/ASP security concerns"
- Maybe in reply to: Nicholas Janzen: "Small ISP/ASP security concerns"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
