On Fri, 18 Aug 1995, Christopher Klaus wrote:
> Seems like many organizations do not reflect the value of their intellectual
> property to do the proper risk assessment of their network. Otherwise
> it would seem like a small price to spend $10-$100k on doing proactive
> security to keep their network safe from attack than to
> spend $10-$50k per workstation after they were compromised and then to
> lose vital technology to foreign competitive markets.
>
> I would like to see if others in the industry have any feelings about
> this situation.
This is what is keeping consultants like me very happily supplied with
customers. While my customer list is not extensive, half of my nine...
well let's say four of my customers were already connected to the
internet in some form. All four experienced some sort of "break-in"
prior to their contacting me.
One customer had a "loss of business" rider on his insurance and we had
to estimate the cost of the break-in, down time, etc. We were averaging
$15K per workstation (35) and estimated $40K for the server! They put
in a claim for $250K. Thank goodness they had backups or things would
have been more disasterous.
It all goes back to the "it can't happen to me" syndrome. People don't
believe or do not want to believe that it could happen to them. All
four of my already connected clients were people who I tried to
explain what is really going on. I have even tried to give them
copies of Cheswick's "Berferd" paper, Venema's paper (where he talks
about their "pet") or tell them to read Stoll's book "The Cuckoo's
Egg" as examples. I am shrugged off. Even using recent New York
Times articles on the aprehension of Kevin Mitnick gets me dirty looks.
I am now adding the Wall Street Journal's article on the cracking of
SSL's encryption to my arsenal. Will it work? I doubt it because I
know the argument against it already ("well, that's the international
version").
People are not into hearing about these problems. They see "Information
Super Highway... ooo goody! Let's go!" and their off an running without
regard to the consequences.
Believe me, I am not complaining! I am making a very good living
because of it. But I would rather go into a company and start from
scratch rather than have to do a mop up job!
scott barman
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott @
disclosure .
com and I speak only for myself.
barman @
ix .
netcom .
com
"Micro$oft and Windoze/NT will be the cause of the de-evolution of
network security just as the original PC and BASIC was the cause of
the de-evolution of programming."
References:
|
|
