lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: security at brvenik.com (Jason)
Subject: Avoiding being a good admin - was DCOM RPC
 exploit (dcom.c)

Now we are full circle.

Wrong, the cost benefit does work out for the business. We are at 3.9 
million because we did not pay attention to the assets that needed 
protecting and implement best practices. At 3.9 million we are still 
under the extremely conservative $4million estimate from one single outage!

This is why I keep harping that if you implement the best practices you 
mitigate these issues from the start. It is a lot cheaper to mitigate 
and manage the risk proactively through the tools currently available 
than it is to patch everything in the fire drill because best practices 
were not utilized.

This DCOM issue that started this conversation off would be a completely 
low priority if it had been disabled for all the systems that did not 
need it and the attention could be given to the high risk systems where 
the money is.

It can be done and it is hard and it cold be expensive but the 
alternative is more expensive and more difficult.



Valdis.Kletnieks@...edu wrote:

> On Tue, 29 Jul 2003 10:52:19 EDT, Jason <security@...enik.com>  said:
> 
> 
>>$15,600 * 83 = $1.3 million in lost time patching
>>
>>Compared to the very conservative 4 million lost otherwise?
>>
>>Add another million to the 1.3 mil to hire contractors and you still 
>>save almost 2 million.
> 
> 
> $1.3M to patch MS03-023.
> $1.3M to patch MS03-026.
> $1.3M to patch MS03-030.
> 
> Now you're up to $3.9M, and only saving $100K. *MAYBE*.  And if there's
> another advisory, there goes another $1.3M.  If there's 4 advisories a year,
> it actually makes financial *SENSE* to just say "screw it" and accept the
> fact that there will be a yearly worm-and-patch-everything party.
> 
> Maybe there's a *REASON* that IT security is underfunded - the cost/benefit
> doesn't work out for the business....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ