I see it as a matter of severity. Malware attacks are, as you say, extremely common. They are also fairly easy to guard against (assuming the users do what they are told <ahem>) and even at that the majority are more annoying than threatening. The cost to guard against them ranges from very cheap (free SpyBot or Ad-Aware) to blocking at the firewall or using a content proxy. >From what was said in the first post the inconvenience in this solution of >guarding against a MitM attack is that some users have to give up using their >browser of choice. If that’s the only problem with the solution I say move >forward; a handful of stalwart Safari users should not be able to hold the >company’s security hostage. And if it’s a titled person doing it he’s doing >the company a disservice. But in deference to your management that likes things categorized, labeled, enumerated and fully known to the nth degree so a dollar cost per percentage of likelihood can be attached... there is no answer. Not all MitM attacks are reported but rather handled quietly. How many security issues have you run into over the years (up to and maybe including MitM)? How many did you write up and report in such a way that some future person could look up statistics based on the aggregate of such occurrences including yours? Zero, right? Unless the reporting was actually part of your job description or there was something unique or interesting about the attack you just handled it and moved on like the rest of us do as we juggle umpty-hundred issues in a given time frame. The statistics are not available no matter how much your management may want it otherwise; the decision has to be made based on the consequences of the attack rather than the likelihood of it. Said consequences are potentially highly severe and injurious to the company. As someone else pointed out – the consequence of a MitM can and does include compromising network security to the point where the CFO’s workstation could be burglarized; account numbers and passwords - wouldn’t that be lovely? The overhead of accomplishing a successful MitM attack means the attacker’s intent is something a good deal more serious than a piece of malware that steals the user’s home page; don’t let management suck you into that apples to grapes comparison. Again, if the only objection to the solution is a handful of obstinate users those users can go pound sand. I have never experienced a kitchen fire but always have a fire extinguisher available. I don’t care what the odds are of it happening; I do not wish to deal with the consequences of not being prepared for one. Keeping a fire extinguisher available is a small price to pay for preparedness. S*** happens; the wise man always keeps a roll of TP handy rather than weigh the odds of it happening at the wrong time and not carry a roll.
From: David Lum Sent: Thursday, August 01, 2013 9:28 AM To: [email protected] Subject: RE: [NTSysADM] man-in-the-middle attack What I mean is the inconvenience of increased security work the risk? An extreme example is “computers can get infected via the Internet…let’s disconnect from the Internet”. The risk of one of 500 systems getting malware from the Internet over any six month span is almost 100%, but the loss of business exceeds the most likely losses from being hit by malware. If a specific attack happens only once per 100,000,000 businesses in a six month span (I have no clue on MITM, Googling “business exploited by man-in-the-middle” only returns how serious it is but I am unable to find actual examples), is it worth worrying about? It’s like hearing Diet Coke “it’s so bad for you it can kill you instantly”, but not having any actual examples to back it up. I’m not saying I don’t want to do this, but if management asks how likely it is to get exploited I’d like to give them *something*. From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Wednesday, July 31, 2013 4:06 PM To: [email protected] Subject: RE: [NTSysADM] man-in-the-middle attack > In any event, the odds are irrelevant - the issue is the business risk of > intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
