> You're continuing to generalize, ignoring the specifics I was referring to.
Well we can't have that! > IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. Estimating risk vs. cost in a professional situation is indeed "gambling" in a professional environment, regardless if one to chooses to refer to it as that. > You know the odds, or you don't - doesn't matter. Most often such things are not absolutely knowable. The more information you have, the closer you can estimate. Not having sufficient information is itself a risk you must factor in. This is shy many security alerts include "severity levels" with them. Please substantiate your assertions that this "does not matter". > What matters is if you can continue to profit from the risk. This statement seems to not make sense. By its very nature, a "risk" to business is generally not something you "profit from". I suspect you meant something else. > Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. This is part if the impact analysis. I'll note that your very own example of Russian roulette typically involves odds... most often 1 in 6. Despite its catastrophic impact, I suspect you'd feel differently about playing it if the odds were 1:1,000,000 (see also: taking a plane flight) > The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage. >What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. Impact analysis again. Applied to a specific attack vector. There are other avenues to gain remote access to an org: hardware backdoors, compromised internal machines, faulty wireless implementations, etc... > The odds dont matter if the risk will result in catastrophic loss to the business. Typically risk mitigation strategies have a cost attached to them. If spending more than the business is worth in mitigating every risk with a factor ratio > 0 bankrupts the business, then the results have been equally catastrophic. >As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) What if the mitigation cost was $10's of millions? > - I have a specific view of this issue. That's what we've been telling you. J -sc From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 3:00 PM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare <[email protected]> wrote: Substitute any risk you what in any circumstance you want. As long as the odds are > 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare <[email protected]> wrote: > The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <[email protected]> wrote: > In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that "odds are irrelevant" if the issue is business risk? Risk is "potential for loss", and potential includes a weighting for likelihood (i.e. "the odds")? Can you clarify what you mean? Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: [email protected] Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum <[email protected]> wrote: I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say "we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
