lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200307291909.h6TJ9l3o018420@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) 

On Tue, 29 Jul 2003 13:14:49 EDT, Jason <security@...enik.com>  said:

> Wrong, the cost benefit does work out for the business. We are at 3.9 
> million because we did not pay attention to the assets that needed 
> protecting and implement best practices. At 3.9 million we are still 
> under the extremely conservative $4million estimate from one single outage!

You can harp on "best practices" all you want - hell, *I* certainly do
it enough.  However, you have to come to some realizations here.  All
"best practices" cost something to implement.  And at some point, the
cost of prevention is going to exceed the cost of cleaning up.

And at this point, the boss asks "So what are the chances we'll make
it through the entire rest of the fiscal year without having to blow
*another* $1.3M, compared to the chances we'll get wormed before the
next advisory comes out?"

Remember - we're up to MS03-*030* and it's still July.  At $1.3M per,
you've burned some $39M already to protect against a $4M threat.

Security is *tradeoffs*.  Do I wish all my users were patched against
MS03-026? Yes.  Do I think some will get trashed by whatever worm comes
by? Yes - the last worm nailed 200 boxes or so before we got specific
router filters in place.

However, when the cost of forcing *all* the users to upgrade exceeds
the cost of cleaning up the 200 that will get whacked, it's *REAL*
hard to get resources allocated - I've never net a VP-level exec
that would agree to the idea that they should spend $2M to protect
against a $500K threat because it's "best practices".  The only ways
you'll get your $2M is to either make it under $500K instead, or something
raises the $500K (for instance, if "liable for a $1.5M fine under the newly
passed protection-of-private-law" gets added in...)

Anybody who can't understand *that* probably doesn't get the joke
about a $200 chip protecting the $0.75 fuse by blowing up first....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030729/93e8db54/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ