*>>I’m not saying I don’t want to do this, but if management asks how likely it is to get exploited I’d like to give them *something*.*
**** If you don't have a good answer, it is best not to simply give one. It would be better to educate them on why the answer is hard to give. In any event, I'll bet that you're MUCH more vulnerable to the remote users getting malware via a drive by attack or an ill-advised link click and then the attacker tunnels through your VPN tunnel without ever getting *in the middle* of the VPN/remote authentication. So, if I were going to put for some effort to address anything, it would be lowering the risk of the scenario I presented vs the one you asked about. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>* **Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…*** On Thu, Aug 1, 2013 at 10:28 AM, David Lum <[email protected]> wrote: > What I mean is the inconvenience of increased security work the risk? An > extreme example is “computers can get infected via the Internet…let’s > disconnect from the Internet”. The risk of one of 500 systems getting > malware from the Internet over any six month span is almost 100%, but the > loss of business exceeds the most likely losses from being hit by malware. > **** > > ** ** > > If a specific attack happens only once per 100,000,000 businesses in a six > month span (I have no clue on MITM, Googling “business exploited by > man-in-the-middle” only returns how serious it is but I am unable to find > actual examples), is it worth worrying about?**** > > ** ** > > It’s like hearing Diet Coke “it’s so bad for you it can kill you > instantly”, but not having any actual examples to back it up.**** > > ** ** > > I’m not saying I don’t want to do this, but if management asks how likely > it is to get exploited I’d like to give them *something*.**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ken Schaefer > *Sent:* Wednesday, July 31, 2013 4:06 PM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] man-in-the-middle attack**** > > ** ** > > > In any event, the odds are irrelevant - the issue is the business risk > of intrusion/loss. **** > > ** ** > > How can you say that “odds are irrelevant” if the issue is business risk? > **** > > ** ** > > Risk is “potential for loss”, and potential includes a weighting for > likelihood (i.e. “the odds”)?**** > > ** ** > > Can you clarify what you mean?**** > > ** ** > > Cheers**** > > Ken **** > > ** ** > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 1 August 2013 1:43 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack**** > > ** ** > > Odds would be very difficult to extrapolate with any legitimate accuracy, > as you need to know and control the possible environments and habits of > your remote employees. In any event, the odds are irrelevant - the issue > is the business risk of intrusion/loss. **** > > > **** > > -- > Espi**** > > **** > > ** ** > > On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote:**** > > I need to present management with the odds of this actually getting > exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and > more importantly Safari (iOS devices) out of the mix, so I suspect > management might say “we want compatibility instead of protection from some > obscure attack that is unlikely to happen.**** > > **** > > In short, what are the odds of a MITM attack actually happening between my > remote employee and our ADFS server?**** > > *David Lum* > Sr. Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > **** > > ** ** >
