[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9AD9D61578B84144912BCB44CBEF9EAD0700E820@usnssexc03.us.kworld.kpmg.com>
From: kenng at kpmg.com (Ng, Kenneth (US))
Subject: no more public exploits and general PoC gui
de lines
Its not my boss, but in conversations with many people that span many
companies, the general line of thought seems to be "until there is an active
exploit that is blowing away machines on my network, we will do nothing.
After all, not every vulnerability that is published is followed by a bad
exploit. And not every bad exploit manages to get inside. Your asking me
to spend real money on a theoritical problem. Remember: IT is a cost
center, something where you do everything possible to reduce costs and
expendatures."
The above are not my thoughts, they are a condensed version of many
conversations. Do I think it is penny wise and pound foolish? Yes. Do I
think these people are not seeing the big picture? Yes. But, I'm just an
advisor.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Eric LeBlanc
Sent: Wednesday, April 28, 2004 9:36 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] no more public exploits and general PoC
gui de lines
On Tue, 27 Apr 2004, Jedi/Sector One wrote:
> On Tue, Apr 27, 2004 at 04:05:13PM -0400, kquest@...layer.com wrote:
> > Are you saying that unless there's an exploit
> > that gives you access to the target machine
> > your company wouldn't patch
>
> It's a matter of priority.
>
> For most PHBs, proactive security must be very low priority because
> keeping systems up to date doesn't bring any money to the company.
>
Just to tell your boss that the
worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-ne
twork
will cost them more than keeping their system up to date (with proof).
It's enough to convince them that the patching will save them a *LOT* of
money and time (if the patch don't broke the system of course, especially
with microsoft patches).
If they don't want to understand it.. Well, I want to be there when their
system will have a virus/wathever just to see their face :-) Oh, it's
possible that the VP of company will tell to you that it's YOUR fault...
E.
--
Eric LeBlanc
inouk@....net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
Powered by blists - more mailing lists