[Previous] [Next] [Index]
[Thread]
Re: Need a Security Consultant
At 02:03 PM 7/4/96 +0200, Vassilis Risopoulos allegedly wrote:
> > > Thanks for the benefit of a doubt. As the last sentence seems to be
>> directed to the companies who have experienced ISOs, I'll answer for
>> Fortified Networks.
> > While I was there, we achieved and sustained the *highest* level
>> of measurable information security of any country in the world.
>> This compliance streak continued for over *continuous* 4 years.
>> While I was there, we withstood numerous hacking attacks and never
>> had a successful breakin.
>Free quoting from a known Internet Security book:
>"If you want to impress a security expert tell him you've only been broken
into twice in the last four years. If you say you've never had to suffer a
successfully attack he'll dismiss you as ignorant".
>If you tell me you had a system that had unbreachable defenses for four
years straight, I won't buy it - I'll probably think you didn't even notice
the attack.
>If you tell me that once in these four years somebody broke in but you were
able to patch the damage and the hole in less than three days than I'll give
a second thought to what you say.
>No offence intended with these words - just that I don't think any system
can be that secure.
>Vassilis.-
No offense taken and you raised some good points. While I agree with
most of what you say, I don't agree with everything you said. While
no security is 100% impenetrable (nor will it ever be), the goal of
good InfoSec is to make your company less appealing (ie - more difficult
to break into) than other companies.
IOW, if I'm taking a hike in the woods with someone else and a bear
starts to chase us, I only need to run faster than the other person
to be assured a reasonably good chance of coming out of the situation
(more or less) intact. The same applies to businesses & hacking.
Hackers, like most other people, usually tend to go the path of least
resistance. Why would they spend weeks or months trying to crack one
company while at another company, it only takes a few minutes? Unless
the hacker has a personal axe to grind, they usually won't bother.
During the time I worked at the subsidiary, we had no successful
breakins. You'll excuse me if I don't talk about that company's
security, but I will say that we made ourselves a less attractive
target than other corporations and that we spent some serious energy
into securing the remote access connections. Not every company is
willing to spend some time & money in securing their remote access
connections (which represent one of the primary entry points an intruder
can have into a corporation) - and the results frequently show up in
the press.
However, I will mention that it is a very wise procedure to have
as few gateways as possible and to guard those gateways like a hawk.
Assuming that the connections are secure AND that those connections
are monitored for potential abuses AND you are ready to pull the
plug if anything looks suspicious, THEN you have a decent start
on good network security.
MfG,
Frank
P.S. - Herzlichen Dank fuer dein Mail. Du hast ein paar wichtigen
Themen ans Licht gebracht.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist
Follow-Ups: