I guess I'm not articulating well this early in the morning (only on a 1/2 cup of coffee so far), but I do understand Ken's point and would in other situations agree with it - but not in terms of remote access risks.
-- Espi On Thu, Aug 1, 2013 at 6:42 AM, Andrew S. Baker <[email protected]> wrote: > I think you missed Ken's point, Micheal. > > For any given scenario, the likelihood of it happening has to be > considered AS WELL AS (not independently of) the consequences if it happens. > > His last paragraph is instructive here: > > Using your method results in too much attention being paid to extreme >> events, and inadequate supervision of more mundane, even boring, events >> that result in small losses. Except lots of small losses can be just as >> crippling to a business. > > > > As to the original question of "In short, what are the odds of a MITM > attack actually happening between my remote employee and our ADFS server?" > > I would respond that there is insufficient information in the thread thus > far to actually answer that question. > > David's question begs a few questions from me: > > -- How are the ADFS servers being used as relates to these remote devices? > -- Why the focus on man-in-the-middle attacks? (Is this the only > perceived risk of remote and mobile systems?) > -- What apps will the users be accessing after authentication? > > Regards, > > > > > > *ASB > **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* > **Providing Virtual CIO Services (IT Operations & Information Security) > for the SMB market…*** > > > > > On Thu, Aug 1, 2013 at 9:32 AM, Micheal Espinola Jr < > [email protected]> wrote: > >> Nothing is absolute, black and white, yadda yadda yadda - I'm not >> speaking to every aspect of life or daily routine; I'm referring to the OP >> issue of remote access and what information is accessible remotely. I also >> think the meteor strike example is a bit extreme and out of scope for both >> our viewpoints. I understand what you are trying suggest, but there is >> little/nothing we can do to predict of defend against such acts of nature. >> >> -- >> Espi >> >> >> >> On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer <[email protected]> wrote: >> >>> Of course odds are important.**** >>> >>> ** ** >>> >>> Do you protect yourself against meteorite strike? That would result in >>> catastrophic business loss. By your argument, “The odds dont matter if >>> the risk will result in catastrophic loss to the business.:”**** >>> >>> >>> Most people don’t because the **odds* *very low, even though the >>> potential impact is high.**** >>> >>> ** ** >>> >>> Usually, most risk people use some weighted “probability of event” >>> multiplied by “consequences of event” to determine a risk profile.**** >>> >>> ** ** >>> >>> e.g.**** >>> >>> ** ** >>> >>> 100% chance of losing $10 = 10 points**** >>> >>> 1% chance of losing $100 = 1 point**** >>> >>> ** ** >>> >>> The former event, even though the impact will cost you less if it >>> eventuates, is of much more concern to risk managers. Weighting might be >>> applied to “outlier” events (e.g. those of very high consequences)**** >>> >>> ** ** >>> >>> Using your method results in too much attention being paid to extreme >>> events, and inadequate supervision of more mundane, even boring, events >>> that result in small losses. Except lots of small losses can be just as >>> crippling to a business.**** >>> >>> ** ** >>> >>> Cheers**** >>> >>> Ken**** >>> >>> ** ** >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Micheal Espinola Jr >>> *Sent:* Thursday, 1 August 2013 9:55 AM >>> >>> *To:* [email protected] >>> *Subject:* Re: [NTSysADM] man-in-the-middle attack**** >>> >>> ** ** >>> >>> IMO, its a matter of recreational gambling vs. professional (done for a >>> living) gambling[1]. You know the odds, or you don't - doesn't matter. >>> What matters is if you can continue to profit from the risk. Will the >>> risk hurt the continuity of business operations in terms of revenue loss. >>> The extreme example of this is Russian roulette.**** >>> >>> ** ** >>> >>> The resulting exposed data in a MitM scenario is unique and has >>> substantial potential. What is important to monetize here is the loss >>> resulting from a MitM attack at all levels of remote access for the >>> organization. **** >>> >>> ** ** >>> >>> The odds dont matter if the risk will result in catastrophic loss to the >>> business. As someone that has discovered corporate espionage intrusions, >>> and systematically prevented the loss of future business deals worth >>> millions of dollars (whose loss would have otherwise collapsed the >>> business) - I have a specific view of this issue. The only additional info >>> on this that I will provide is that the intrusion allowed a bidding >>> competitor access to corporate communications as well as business plans and >>> bidding documents. My discoveries led to the prevention of a competitor >>> from staying one step ahead of us in business planning and bidding, and >>> eventual Federal prosecution of the intruder.**** >>> >>> ** ** >>> >>> ** ** >>> >>> 1. I'm not a gambler, but I have known professional gamblers. **** >>> >>> >>> **** >>> >>> -- >>> Espi**** >>> >>> **** >>> >>> ** ** >>> >>> On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]> wrote:**** >>> >>> > In any event, the odds are irrelevant - the issue is the business >>> risk of intrusion/loss. **** >>> >>> **** >>> >>> How can you say that “odds are irrelevant” if the issue is business >>> risk? **** >>> >>> **** >>> >>> Risk is “potential for loss”, and potential includes a weighting for >>> likelihood (i.e. “the odds”)?**** >>> >>> **** >>> >>> Can you clarify what you mean?**** >>> >>> **** >>> >>> Cheers**** >>> >>> Ken **** >>> >>> **** >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Micheal Espinola Jr >>> *Sent:* Thursday, 1 August 2013 1:43 AM**** >>> >>> >>> *To:* [email protected] >>> *Subject:* Re: [NTSysADM] man-in-the-middle attack**** >>> >>> **** >>> >>> Odds would be very difficult to extrapolate with any legitimate >>> accuracy, as you need to know and control the possible environments and >>> habits of your remote employees. In any event, the odds are irrelevant - >>> the issue is the business risk of intrusion/loss. **** >>> >>> >>> **** >>> >>> -- >>> Espi**** >>> >>> **** >>> >>> **** >>> >>> On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote:** >>> ** >>> >>> I need to present management with the odds of this actually getting >>> exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and >>> more importantly Safari (iOS devices) out of the mix, so I suspect >>> management might say “we want compatibility instead of protection from some >>> obscure attack that is unlikely to happen.**** >>> >>> **** >>> >>> In short, what are the odds of a MITM attack actually happening between >>> my remote employee and our ADFS server?**** >>> >>> *David Lum* >>> Sr. Systems Engineer // NWEATM >>> Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** >>> >>> **** >>> >>> **** >>> >>> ** ** >>> >> >> >
