dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
35
meta
join:2004-12-27
00000

meta to aryoba

Member

to aryoba

Re: Burned by IP INSPECT -- My Own Personal Journey

I tell the paranoid QSA's what I think of their ideas every year lol
"But somebody could scale the telephone pole and strip the cable and tap it and steal data!" - Real QSA.
Risk management means average loss per event times annual rate of occurance = potential loss. If potential loss is less than the cost of some action actually capable of remediating their dilusional attack vector, there is no justification to do it.
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by meta:

I tell the paranoid QSA's what I think of their ideas every year lol

Once I had an honest response from one of those network security auditor. He did admit that a lot of the technical requirements to consider a network as a secure network are simply fabrication that bears no real meaning. Unless you are backed by expert lawyers and some government lobbyists, there is nothing you can do or say to change the game rule
aryoba

aryoba to meta

MVM

to meta
said by meta:

"But somebody could scale the telephone pole and strip the cable and tap it and steal data!" - Real QSA.

This reminds me of a story that a lot of government entities encrypt their data over point-to-point dedicated private links as a requirement in order to avoid the situation where the ISP or telco stealing their data. There are however no such requirements coming from some federal entities such as Federal Reserve and financial exchanges. I guess some rules and/or mindsets are not applicable to all government entities
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

Cost and speed trump security.

And for the record, the only .gov systems I've ever known to use encryption are systems carrying sensitive information. ("top secret", "classified", etc. i.e. not for the public to see. I couldn't believe the shear volume of crap they stamp sensitive -- 'tho partly because they don't want to take any time evaluating it.)
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by cramer:

Cost and speed trump security.

Basically network security is about where and how technical understanding your company lawyers are. In one of my previous company, we got Infrastructure Security VP that had JD and MBA degrees in addition to network engineering and support background that enabled him to see eye to eye with anybody; management and technical people; which helped tremendously in implementing policies and procedures. So no fancy nor frivolous stuff, just necessary things to keep the cost minimal yet we still passed the network security audit and compliance