Re: Need a Security Consultant

• To: Frank Willoughby <frankw@in.net>
• Subject: Re: Need a Security Consultant
• From: webmaster <webmaster@webdoor.com>
• Date: Sun, 07 Jul 1996 09:27:56 -0400
• CC: www-security@ns2.rutgers.edu, Vassilis Risopoulos <risopoul@informatik.uni-hamburg.de>
• Organization: webdoor.com
• References: <9607051613.AA20767@su1.in.net>
• Reply-To: webmaster@webdoor.com

Frank,

I used to work for General Electric Corporate Telecommunications.  We ran 
the entire internet for the GE
Domain.  And we were constant targets for attack against hackers.  It 
seems that they had us on a Hit List for
Targets, cause GE was so big that many of the hackers had formed Gangs to 
try to break in.  They worked
together in teams to break into the GE Domain.  The NBC/Friends thing 
that occurred a while back really stirred
things up too.  But my point is that if you are part of Corporate America 
and are a high profile company, I
think that the Gangs of Hackers and Phreakers are not just going to GO 
AWAY.  They will continue to fight ya to
get in and if you are a Corporation, YOU ARE A CONSTANT TARGET.  Making 
things harder for them to get in, well,
that doesn't stop them or deter them.  They have you on a HIT LIST, and 
will ALWAYS try to HACK IN!

So, I give your theory on making it too hard to scare people into giving 
up about 1 penny.  Cause they weren't
deterred by anything we tried.  In fact, it just made it more fun for 
them.  But we ran a pretty good security
system there, with Firewall and Proxy systems and Port Filters on all 
Routing, etc.


Frank Willoughby wrote:
> 
> At 02:03 PM 7/4/96 +0200, Vassilis Risopoulos allegedly wrote:
> 
> > > > Thanks for the benefit of a doubt.  As the last sentence seems to be
> >> directed to the companies who have experienced ISOs, I'll answer for
> >> Fortified Networks.
> > > While I was there, we achieved and sustained the *highest* level
> >> of measurable information security of any country in the world.
> >> This compliance streak continued for over *continuous* 4 years.
> >> While I was there, we withstood numerous hacking attacks and never
> >> had a successful breakin.
> >Free quoting from a known Internet Security book:
> >"If you want to impress a security expert tell him you've only been broken
> into twice in the last four years. If you say you've never had to suffer a
> successfully attack he'll dismiss you as ignorant".
> >If you tell me you had a system that had unbreachable defenses for four
> years straight, I won't buy it - I'll probably think you didn't even notice
> the attack.
> >If you tell me that once in these four years somebody broke in but you were
> able to patch the damage and the hole in less than three days than I'll give
> a second thought to what you say.
> >No offence intended with these words - just that I don't think any system
> can be that secure.
> >Vassilis.-
> 
> No offense taken and you raised some good points.  While I agree with
> most of what you say, I don't agree with everything you said.  While
> no security is 100% impenetrable (nor will it ever be), the goal of
> good InfoSec is to make your company less appealing (ie - more difficult
> to break into) than other companies.
> 
> IOW, if I'm taking a hike in the woods with someone else and a bear
> starts to chase us, I only need to run faster than the other person
> to be assured a reasonably good chance of coming out of the situation
> (more or less) intact.  The same applies to businesses & hacking.
> Hackers, like most other people, usually tend to go the path of least
> resistance.  Why would they spend weeks or months trying to crack one
> company while at another company, it only takes a few minutes?  Unless
> the hacker has a personal axe to grind, they usually won't bother.
> 
> During the time I worked at the subsidiary, we had no successful
> breakins.  You'll excuse me if I don't talk about that company's
> security, but I will say that we made ourselves a less attractive
> target than other corporations and that we spent some serious energy
> into securing the remote access connections.  Not every company is
> willing to spend some time & money in securing their remote access
> connections (which represent one of the primary entry points an intruder
> can have into a corporation) - and the results frequently show up in
> the press.
> 
> However, I will mention that it is a very wise procedure to have
> as few gateways as possible and to guard those gateways like a hawk.
> Assuming that the connections are secure AND that those connections
> are monitored for potential abuses AND you are ready to pull the
> plug if anything looks suspicious, THEN you have a decent start
> on good network security.
> 
> MfG,
> 
> Frank
> P.S. - Herzlichen Dank fuer dein Mail.  Du hast ein paar wichtigen
>        Themen ans Licht gebracht.
> Any sufficiently advanced bug is indistinguishable from a feature.
>         -- Rich Kulawiec
> 
> <standard disclaimer>
> The opinions expressed above are of the author and may not
> necessarily be representative of Fortified Networks Inc.
> 
> Fortified Networks Inc. - Information Security Consulting
> http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817
> Home of the Free Internet Firewall Evaluation Checklist

• Re: Need a Security Consultant
• From: webmaster <webmaster@webdoor.com>

• Re: Need a Security Consultant
• From: Frank Willoughby <frankw@in.net>

• Previous: Specific CGI security info
• Next: Re: Need a Security Consultant
• Index(es):
  • Index
  • Thread