Re: Burned by IP INSPECT -- My Own Personal Journey

Author	All Replies
aryoba Premium,MVM join:2002-08-22 kudos:3	reply to nosx Re: Burned by IP INSPECT -- My Own Personal Journey said by nosx: Network security is the oxymoron, it provides a false sense of protection that turns our infrastructure into complex time sucking tar pits that looks like swiss cheese to savvy attackers. Tell that to network security auditors and they will stare at you funny
	to forum · permalink · 2013-01-10 09:05:33 ·

nosx join:2004-12-27 00000 kudos:5	I tell the paranoid QSA's what I think of their ideas every year lol "But somebody could scale the telephone pole and strip the cable and tap it and steal data!" - Real QSA. Risk management means average loss per event times annual rate of occurance = potential loss. If potential loss is less than the cost of some action actually capable of remediating their dilusional attack vector, there is no justification to do it.
	to forum · permalink · 2013-01-10 18:28:23 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	said by nosx: I tell the paranoid QSA's what I think of their ideas every year lol Once I had an honest response from one of those network security auditor. He did admit that a lot of the technical requirements to consider a network as a secure network are simply fabrication that bears no real meaning. Unless you are backed by expert lawyers and some government lobbyists, there is nothing you can do or say to change the game rule
	to forum · permalink · 2013-01-11 11:23:26 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	reply to nosx said by nosx: "But somebody could scale the telephone pole and strip the cable and tap it and steal data!" - Real QSA. This reminds me of a story that a lot of government entities encrypt their data over point-to-point dedicated private links as a requirement in order to avoid the situation where the ISP or telco stealing their data. There are however no such requirements coming from some federal entities such as Federal Reserve and financial exchanges. I guess some rules and/or mindsets are not applicable to all government entities
	to forum · permalink · 2013-01-11 11:30:27 ·
cramer join:2007-04-10 Raleigh, NC kudos:7	Cost and speed trump security. And for the record, the only .gov systems I've ever known to use encryption are systems carrying sensitive information. ("top secret", "classified", etc. i.e. not for the public to see. I couldn't believe the shear volume of crap they stamp sensitive -- 'tho partly because they don't want to take any time evaluating it.)
	to forum · permalink · 2013-01-12 00:43:44 ·
aryoba Premium,MVM join:2002-08-22 kudos:3	said by cramer: Cost and speed trump security. Basically network security is about where and how technical understanding your company lawyers are. In one of my previous company, we got Infrastructure Security VP that had JD and MBA degrees in addition to network engineering and support background that enabled him to see eye to eye with anybody; management and technical people; which helped tremendously in implementing policies and procedures. So no fancy nor frivolous stuff, just necessary things to keep the cost minimal yet we still passed the network security audit and compliance
	to forum · permalink · 2013-01-13 08:14:04 ·

Equipment Support > Hardware By Brand > Cisco > Burned by IP INSPECT -- My Own Personal Journey