Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature.
-- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer <[email protected]> wrote: > Of course odds are important.**** > > ** ** > > Do you protect yourself against meteorite strike? That would result in > catastrophic business loss. By your argument, “The odds dont matter if > the risk will result in catastrophic loss to the business.:”**** > > > Most people don’t because the **odds* *very low, even though the > potential impact is high.**** > > ** ** > > Usually, most risk people use some weighted “probability of event” > multiplied by “consequences of event” to determine a risk profile.**** > > ** ** > > e.g.**** > > ** ** > > 100% chance of losing $10 = 10 points**** > > 1% chance of losing $100 = 1 point**** > > ** ** > > The former event, even though the impact will cost you less if it > eventuates, is of much more concern to risk managers. Weighting might be > applied to “outlier” events (e.g. those of very high consequences)**** > > ** ** > > Using your method results in too much attention being paid to extreme > events, and inadequate supervision of more mundane, even boring, events > that result in small losses. Except lots of small losses can be just as > crippling to a business.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 1 August 2013 9:55 AM > > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack**** > > ** ** > > IMO, its a matter of recreational gambling vs. professional (done for a > living) gambling[1]. You know the odds, or you don't - doesn't matter. > What matters is if you can continue to profit from the risk. Will the > risk hurt the continuity of business operations in terms of revenue loss. > The extreme example of this is Russian roulette.**** > > ** ** > > The resulting exposed data in a MitM scenario is unique and has > substantial potential. What is important to monetize here is the loss > resulting from a MitM attack at all levels of remote access for the > organization. **** > > ** ** > > The odds dont matter if the risk will result in catastrophic loss to the > business. As someone that has discovered corporate espionage intrusions, > and systematically prevented the loss of future business deals worth > millions of dollars (whose loss would have otherwise collapsed the > business) - I have a specific view of this issue. The only additional info > on this that I will provide is that the intrusion allowed a bidding > competitor access to corporate communications as well as business plans and > bidding documents. My discoveries led to the prevention of a competitor > from staying one step ahead of us in business planning and bidding, and > eventual Federal prosecution of the intruder.**** > > ** ** > > ** ** > > 1. I'm not a gambler, but I have known professional gamblers. **** > > > **** > > -- > Espi**** > > **** > > ** ** > > On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]> wrote:**** > > > In any event, the odds are irrelevant - the issue is the business > risk of intrusion/loss. **** > > **** > > How can you say that “odds are irrelevant” if the issue is business risk? > **** > > **** > > Risk is “potential for loss”, and potential includes a weighting for > likelihood (i.e. “the odds”)?**** > > **** > > Can you clarify what you mean?**** > > **** > > Cheers**** > > Ken **** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 1 August 2013 1:43 AM**** > > > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack**** > > **** > > Odds would be very difficult to extrapolate with any legitimate accuracy, > as you need to know and control the possible environments and habits of > your remote employees. In any event, the odds are irrelevant - the issue > is the business risk of intrusion/loss. **** > > > **** > > -- > Espi**** > > **** > > **** > > On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote:**** > > I need to present management with the odds of this actually getting > exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and > more importantly Safari (iOS devices) out of the mix, so I suspect > management might say “we want compatibility instead of protection from some > obscure attack that is unlikely to happen.**** > > **** > > In short, what are the odds of a MITM attack actually happening between my > remote employee and our ADFS server?**** > > *David Lum* > Sr. Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > **** > > ** ** >
