It includes ALL risks. Surely, you don't protect against EVERY SINGLE remote access risk regardless of probability, do you?
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* **Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…*** On Thu, Aug 1, 2013 at 9:54 AM, Micheal Espinola Jr < [email protected]> wrote: > I guess I'm not articulating well this early in the morning (only on a 1/2 > cup of coffee so far), but I do understand Ken's point and would in other > situations agree with it - but not in terms of remote access risks. > > -- > Espi > > > > On Thu, Aug 1, 2013 at 6:42 AM, Andrew S. Baker <[email protected]> wrote: > >> I think you missed Ken's point, Micheal. >> >> For any given scenario, the likelihood of it happening has to be >> considered AS WELL AS (not independently of) the consequences if it happens. >> >> His last paragraph is instructive here: >> >> Using your method results in too much attention being paid to extreme >>> events, and inadequate supervision of more mundane, even boring, events >>> that result in small losses. Except lots of small losses can be just as >>> crippling to a business. >> >> >> >> As to the original question of "In short, what are the odds of a MITM >> attack actually happening between my remote employee and our ADFS server? >> " >> >> I would respond that there is insufficient information in the thread thus >> far to actually answer that question. >> >> David's question begs a few questions from me: >> >> -- How are the ADFS servers being used as relates to these remote devices? >> -- Why the focus on man-in-the-middle attacks? (Is this the only >> perceived risk of remote and mobile systems?) >> -- What apps will the users be accessing after authentication? >> >> Regards, >> >> >> >> >> >> *ASB >> **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* >> **Providing Virtual CIO Services (IT Operations & Information Security) >> for the SMB market…*** >> >> >> >> >> On Thu, Aug 1, 2013 at 9:32 AM, Micheal Espinola Jr < >> [email protected]> wrote: >> >>> Nothing is absolute, black and white, yadda yadda yadda - I'm not >>> speaking to every aspect of life or daily routine; I'm referring to the OP >>> issue of remote access and what information is accessible remotely. I also >>> think the meteor strike example is a bit extreme and out of scope for both >>> our viewpoints. I understand what you are trying suggest, but there is >>> little/nothing we can do to predict of defend against such acts of nature. >>> >>> -- >>> Espi >>> >>> >>> >>> On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer <[email protected]> wrote: >>> >>>> Of course odds are important.**** >>>> >>>> ** ** >>>> >>>> Do you protect yourself against meteorite strike? That would result in >>>> catastrophic business loss. By your argument, “The odds dont matter if >>>> the risk will result in catastrophic loss to the business.:”**** >>>> >>>> >>>> Most people don’t because the **odds* *very low, even though the >>>> potential impact is high.**** >>>> >>>> ** ** >>>> >>>> Usually, most risk people use some weighted “probability of event” >>>> multiplied by “consequences of event” to determine a risk profile.**** >>>> >>>> ** ** >>>> >>>> e.g.**** >>>> >>>> ** ** >>>> >>>> 100% chance of losing $10 = 10 points**** >>>> >>>> 1% chance of losing $100 = 1 point**** >>>> >>>> ** ** >>>> >>>> The former event, even though the impact will cost you less if it >>>> eventuates, is of much more concern to risk managers. Weighting might be >>>> applied to “outlier” events (e.g. those of very high consequences)**** >>>> >>>> ** ** >>>> >>>> Using your method results in too much attention being paid to extreme >>>> events, and inadequate supervision of more mundane, even boring, events >>>> that result in small losses. Except lots of small losses can be just as >>>> crippling to a business.**** >>>> >>>> ** ** >>>> >>>> Cheers**** >>>> >>>> Ken**** >>>> >>>> ** ** >>>> >>>> *From:* [email protected] [mailto: >>>> [email protected]] *On Behalf Of *Micheal Espinola Jr >>>> *Sent:* Thursday, 1 August 2013 9:55 AM >>>> >>>> *To:* [email protected] >>>> *Subject:* Re: [NTSysADM] man-in-the-middle attack**** >>>> >>>> ** ** >>>> >>>> IMO, its a matter of recreational gambling vs. professional (done for a >>>> living) gambling[1]. You know the odds, or you don't - doesn't matter. >>>> What matters is if you can continue to profit from the risk. Will the >>>> risk hurt the continuity of business operations in terms of revenue loss. >>>> The extreme example of this is Russian roulette.**** >>>> >>>> ** ** >>>> >>>> The resulting exposed data in a MitM scenario is unique and has >>>> substantial potential. What is important to monetize here is the loss >>>> resulting from a MitM attack at all levels of remote access for the >>>> organization. **** >>>> >>>> ** ** >>>> >>>> The odds dont matter if the risk will result in catastrophic loss to >>>> the business. As someone that has discovered corporate espionage >>>> intrusions, and systematically prevented the loss of future business deals >>>> worth millions of dollars (whose loss would have otherwise collapsed the >>>> business) - I have a specific view of this issue. The only additional info >>>> on this that I will provide is that the intrusion allowed a bidding >>>> competitor access to corporate communications as well as business plans and >>>> bidding documents. My discoveries led to the prevention of a competitor >>>> from staying one step ahead of us in business planning and bidding, and >>>> eventual Federal prosecution of the intruder.**** >>>> >>>> ** ** >>>> >>>> ** ** >>>> >>>> 1. I'm not a gambler, but I have known professional gamblers. **** >>>> >>>> >>>> **** >>>> >>>> -- >>>> Espi**** >>>> >>>> **** >>>> >>>> ** ** >>>> >>>> On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]> wrote:*** >>>> * >>>> >>>> > In any event, the odds are irrelevant - the issue is the business >>>> risk of intrusion/loss. **** >>>> >>>> **** >>>> >>>> How can you say that “odds are irrelevant” if the issue is business >>>> risk? **** >>>> >>>> **** >>>> >>>> Risk is “potential for loss”, and potential includes a weighting for >>>> likelihood (i.e. “the odds”)?**** >>>> >>>> **** >>>> >>>> Can you clarify what you mean?**** >>>> >>>> **** >>>> >>>> Cheers**** >>>> >>>> Ken **** >>>> >>>> **** >>>> >>>> *From:* [email protected] [mailto: >>>> [email protected]] *On Behalf Of *Micheal Espinola Jr >>>> *Sent:* Thursday, 1 August 2013 1:43 AM**** >>>> >>>> >>>> *To:* [email protected] >>>> *Subject:* Re: [NTSysADM] man-in-the-middle attack**** >>>> >>>> **** >>>> >>>> Odds would be very difficult to extrapolate with any legitimate >>>> accuracy, as you need to know and control the possible environments and >>>> habits of your remote employees. In any event, the odds are irrelevant - >>>> the issue is the business risk of intrusion/loss. **** >>>> >>>> >>>> **** >>>> >>>> -- >>>> Espi**** >>>> >>>> **** >>>> >>>> **** >>>> >>>> On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote:* >>>> *** >>>> >>>> I need to present management with the odds of this actually getting >>>> exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and >>>> more importantly Safari (iOS devices) out of the mix, so I suspect >>>> management might say “we want compatibility instead of protection from some >>>> obscure attack that is unlikely to happen.**** >>>> >>>> **** >>>> >>>> In short, what are the odds of a MITM attack actually happening between >>>> my remote employee and our ADFS server?**** >>>> >>>> *David Lum* >>>> Sr. Systems Engineer // NWEATM >>>> Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** >>>> >>>> **** >>>> >>>> **** >>>> >>>> ** ** >>>> >>> >>> >> >
