Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] Commercial pressure as a threat to security
Date: Tue Dec 06 2005 - 15:31:25 CST
On Tue, 06 Dec 2005 07:55:55 PST, Daniel Sichel said:
> Anyhow, Jason summed this up elegantly and succinctly. Is anybody
> addressing this problem with cheap software a small business can afford,
> even to test just the basics?
Plenty of people. Lots of people. Probably 80% or more of the people making
an actual living at the white hat side of security, in fact.
But if I were to actually *mention* anything that sounded like "unclued people
who just know how to do a basic pen test and can't 1337-hax0r a box by hand",
I'd start another flame-fest. ;)
No, those people won't save you from getting pwned by a uber-leet ninja hacker,
because they'll only test all the obvious simple stuff. On the other hand, it's
even more embarrassing to get pwned by a script kiddie using a 3 year old exploit
because you didn't even check the obvious simple stuff.
And there's a lot more script kiddies out there than uber-leet ninja hackers,
and the uber-leet ninja hackers are probably busy elsewhere.
Yes, it's a business decision: You can spend $500 doing enough security to
stop 98% of the potential attackers, or spend gazillions to stop them *all*.
At some point, you have to decide "We've probably made it hard enough to attack
that the script kiddies can't get in, and the ninjas will hopefully go elsewhere
with a better effort/payback ratio".
And then be prepared to be wrong, just like you hopefully prepared to be wrong
regarding your defenses against earthquakes, floods, and other unlikely to happen
I haven't looked at the CISSP, but I bet this concept of business trade-offs
is one of the things a CISSP is supposed to understand. It certainly isn't
something I've seen much signs of understanding from the crowd that's proud
they don't have a CISSP.
And if nothing else, even if your security needs say you should bring in a
talented guy to really pound the net into submission, you should *STILL* hire
the clueless idiot, first - if for no other reason than it's better to be
paying the idiot $50/hour to find all the stupid-ass mistakes you made, than
paying the expert $250/hour to find all the stupid-ass mistakes, and then
another $250/ hour to do the more in-depth checking. ;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/