Why are "remote access" risks any different from any other type of risk? They all cause consequences.
Surely it's the consequences that are important, not the manner of delivery. The manner of delivery is important in determining the mitigation/management steps, but it's the overall consequence that determines how much attention you need to pay to it. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 11:54 PM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack I guess I'm not articulating well this early in the morning (only on a 1/2 cup of coffee so far), but I do understand Ken's point and would in other situations agree with it - but not in terms of remote access risks. -- Espi On Thu, Aug 1, 2013 at 6:42 AM, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: I think you missed Ken's point, Micheal. For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. His last paragraph is instructive here: Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. As to the original question of "In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server?" I would respond that there is insufficient information in the thread thus far to actually answer that question. David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? Regards, ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Thu, Aug 1, 2013 at 9:32 AM, Micheal Espinola Jr <[email protected]<mailto:[email protected]>> wrote: Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature. -- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: Of course odds are important. Do you protect yourself against meteorite strike? That would result in catastrophic business loss. By your argument, "The odds dont matter if the risk will result in catastrophic loss to the business.:" Most people don't because the *odds* very low, even though the potential impact is high. Usually, most risk people use some weighted "probability of event" multiplied by "consequences of event" to determine a risk profile. e.g. 100% chance of losing $10 = 10 points 1% chance of losing $100 = 1 point The former event, even though the impact will cost you less if it eventuates, is of much more concern to risk managers. Weighting might be applied to "outlier" events (e.g. those of very high consequences) Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 9:55 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: > In any event, the odds are irrelevant - the issue is the business risk of > intrusion/loss. How can you say that "odds are irrelevant" if the issue is business risk? Risk is "potential for loss", and potential includes a weighting for likelihood (i.e. "the odds")? Can you clarify what you mean? Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say "we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764>
