[2334] in WWW Security List Archive
Re: Need a Security Consultant
daemon@ATHENA.MIT.EDU (Christopher Liljenstolpe)
Sat Jul 6 14:49:34 1996
From: chris.liljenstolpe@ssds.com (Christopher Liljenstolpe)
To: Frank Willoughby <frankw@in.net>
Cc: www-security@ns2.rutgers.edu,
Vassilis Risopoulos <risopoul@informatik.uni-hamburg.de>,
security@ssds.com
Date: Sat, 06 Jul 1996 16:45:34 GMT
Reply-To: chris.liljenstolpe@ssds.com
In-Reply-To: <9607051613.AA20767@su1.in.net>
Errors-To: owner-www-security@ns2.rutgers.edu
Greetings,
Some of these comments are disturbing, and indicitive of the
problems we have with INFOSEC in corporate America.
On Fri, 5 Jul 96 12:13:01 -0400, the sage Frank Willoughby
<frankw@in.net> scribed:
>At 02:03 PM 7/4/96 +0200, Vassilis Risopoulos allegedly wrote:
>
[SNIP]
>
>
>No offense taken and you raised some good points. While I agree with
>most of what you say, I don't agree with everything you said. While
>no security is 100% impenetrable (nor will it ever be), the goal of
>good InfoSec is to make your company less appealing (ie - more difficult
>to break into) than other companies.
This is incorrect. While this stance may protect an entity against a
low-grade threat attack (the attacker who is out "joy-riding"), it
will not protect a company that is the target of a directed attack
(mid-grade to high-grade). In these cases, the act of breaking in is
not the driving force, it is acheving a goal after getting in.
In these cases (industrial espionage, info-terrorism, information
warfare, etc.) the target is a specific entity or company, and the
attacker will not "just go away and attack a softer target" if the
target is hardened, the attacker will, instead, continue to probe
electronically, physically, and socially. They WILL find a way in.
The goal is to make it VERY expensive for them to do so (hopefully
more expensive than the return on investment), detect them when they
DO get in, and limit the amount of damage that they can do.
American corporations are, for the most part, concerned about
low-grade threats, and are ignoring the potentially more devistating,
higher-grade threats. Your statement is a PRIME example.
>
>IOW, if I'm taking a hike in the woods with someone else and a bear
>starts to chase us, I only need to run faster than the other person
>to be assured a reasonably good chance of coming out of the situation
>(more or less) intact. The same applies to businesses & hacking.
>Hackers, like most other people, usually tend to go the path of least
>resistance. Why would they spend weeks or months trying to crack one
>company while at another company, it only takes a few minutes? Unless
>the hacker has a personal axe to grind, they usually won't bother.
>
>During the time I worked at the subsidiary, we had no successful
>breakins. You'll excuse me if I don't talk about that company's
>security, but I will say that we made ourselves a less attractive
>target than other corporations and that we spent some serious energy
>into securing the remote access connections. Not every company is
>willing to spend some time & money in securing their remote access
>connections (which represent one of the primary entry points an intruder
>can have into a corporation) - and the results frequently show up in
>the press.
>
>However, I will mention that it is a very wise procedure to have
>as few gateways as possible and to guard those gateways like a hawk.
>Assuming that the connections are secure AND that those connections
>are monitored for potential abuses AND you are ready to pull the
>plug if anything looks suspicious, THEN you have a decent start
>on good network security.
>
>MfG,
>
>
>Frank
>P.S. - Herzlichen Dank fuer dein Mail. Du hast ein paar wichtigen
> Themen ans Licht gebracht.
>Any sufficiently advanced bug is indistinguishable from a feature.
> -- Rich Kulawiec
>
><standard disclaimer>
>The opinions expressed above are of the author and may not
>necessarily be representative of Fortified Networks Inc.
>
>Fortified Networks Inc. - Information Security Consulting
>http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
>Home of the Free Internet Firewall Evaluation Checklist
>
>
>
>
--
( ( | ( Chris Liljenstolpe <Chris.Liljenstolpe@ssds.com>
) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
business driven Bloomington, MN 55437;
technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free!
PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9
