Indeed! ©
- WJR On Fri, Aug 2, 2013 at 1:29 PM, John Cook <[email protected]> wrote: > And that’s already mitigated by the cases of ammo being stockpiled! > > > > *John W. Cook* > > *Network Operations Manager* > > *Partnership For Strong Families* > > *5950 NW 1st Place* > > *Gainesville, Fl 32607* > > *Office (352) 244-1610* > > *Cell (352) 215-6944* > > *MCSE, MCP+I, MCTS,* > > *CompTIA A+, N+, Security+* > > *VSP**4, VTSP4* > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steven M. Caesare > *Sent:* Friday, August 02, 2013 2:32 PM > > *To:* [email protected] > *Subject:* RE: [NTSysADM] man-in-the-middle attack > > > > Well given that it’s occurrence is a 100% certainty, I didn’t think that > it really was fair to consider there being “odds” of it’s happening… > > > > -sc > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *William Robbins > *Sent:* Friday, August 2, 2013 2:27 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack > > > > I notice there's been no mention of the coming zombie apocalypse. > > > > - WJR > > > > On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare <[email protected]> > wrote: > > Substitute any risk you what in any circumstance you want. > > > > As long as the odds are > 0 then you have to consider mitigating that > risk… it then becomes a matter of cost to do so, the value proposition of > which depends on the potential damage from the event occuring. > > > > How unlikely does an event have to be in order to spend $X on it? > > > > -sc > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Friday, August 2, 2013 11:40 AM > > > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack > > > > Again, apples/oranges. I'm speaking of specific circumstance, and I'm not > about to include natural disasters in the debate. You can either choose to > see what I'm saying for what I'm saying, or don't. I'm not generalizing. > I'm speaking of data loss to remote access intrusion. > > > -- > Espi > > > > > > On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare <[email protected]> > wrote: > > > The odds dont matter if the risk will result in catastrophic loss to > the business. > > > > Sure they do. > > > > A meteor that wipes out your facility in North America can be mitigated by > having a completely redundant $50bil factory in Europe. > > > > Are you recommending that? > > > > -sc > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Wednesday, July 31, 2013 7:55 PM > > > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack > > > > IMO, its a matter of recreational gambling vs. professional (done for a > living) gambling[1]. You know the odds, or you don't - doesn't matter. > What matters is if you can continue to profit from the risk. Will the > risk hurt the continuity of business operations in terms of revenue loss. > The extreme example of this is Russian roulette. > > > > The resulting exposed data in a MitM scenario is unique and has > substantial potential. What is important to monetize here is the loss > resulting from a MitM attack at all levels of remote access for the > organization. > > > > The odds dont matter if the risk will result in catastrophic loss to the > business. As someone that has discovered corporate espionage intrusions, > and systematically prevented the loss of future business deals worth > millions of dollars (whose loss would have otherwise collapsed the > business) - I have a specific view of this issue. The only additional info > on this that I will provide is that the intrusion allowed a bidding > competitor access to corporate communications as well as business plans and > bidding documents. My discoveries led to the prevention of a competitor > from staying one step ahead of us in business planning and bidding, and > eventual Federal prosecution of the intruder. > > > > > > 1. I'm not a gambler, but I have known professional gamblers. > > > -- > Espi > > > > > > On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]> wrote: > > > In any event, the odds are irrelevant - the issue is the business risk > of intrusion/loss. > > > > How can you say that “odds are irrelevant” if the issue is business risk? > > > > Risk is “potential for loss”, and potential includes a weighting for > likelihood (i.e. “the odds”)? > > > > Can you clarify what you mean? > > > > Cheers > > Ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, 1 August 2013 1:43 AM > > > *To:* [email protected] > *Subject:* Re: [NTSysADM] man-in-the-middle attack > > > > Odds would be very difficult to extrapolate with any legitimate accuracy, > as you need to know and control the possible environments and habits of > your remote employees. In any event, the odds are irrelevant - the issue > is the business risk of intrusion/loss. > > > -- > Espi > > > > > > On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote: > > I need to present management with the odds of this actually getting > exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and > more importantly Safari (iOS devices) out of the mix, so I suspect > management might say “we want compatibility instead of protection from some > obscure attack that is unlikely to happen. > > > > In short, what are the odds of a MITM attack actually happening between my > remote employee and our ADFS server? > > *David Lum* > Sr. Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 > > > > > > > > > > > > ------------------------------ > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity > to which it is addressed and may contain Protected Health Information > (PHI), confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient > without the express written consent of the sender are prohibited. This > information may be protected by the Health Insurance Portability and > Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. > Improper or unauthorized use or disclosure of this information could result > in civil and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. >
