Seeing as how you are obviously referring to me, allow me to ask:
Given that I responded to your _SPECIFIC_ point about this being a MTIM attack (quoted below for you convenience), why your subsequent dismissive response? -sc (quotation follows) "> The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage." From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Tuesday, August 6, 2013 1:19 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack My "whatev" was a sarcastic reply to someone I have known online for years. Like I said, I'm not repeating myself. You see the point, or you dont. Some people do (as reflected by offline communications), and some people don't. This is a matter of choosing to or not. I'm not going to try to change your theology on risk management. But I will state /one last time/, that my opinion on this reflects a specific scenario and is not a generalization of risk assessment as many have tried to infer. And with that, if nothing new is introduced, I'm archiving this thread. -- Espi On Tue, Aug 6, 2013 at 9:10 AM, Lora Cates <lora.ca...@rocketmail.com> wrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful "Whatev." and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Micheal Espinola Jr > Sent: Monday, August 5, 2013 8:35 PM > > > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] man-in-the-middle attack > > > > I guess you either see my specific point or you don't. I stated it, and I'm > not one to engage in arguments were I just repeat myself because people are > choosing to ignore, overlook, or simply disregard my point. If you don't > agree, don't, and move on. If you dont know what my "specifics" were, then > I dont know what to tell you - other than, I guess reread the emails. > > > > In any event, I'm no longer interested in this topic of conversation, since > it stopped actually being one many replies back. > > > -- > Espi > > > > > > On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer <k...@kj.net.au> wrote: > > What are the characteristics of the "specifics" you're referring to that > make a general analysis not applicable? > > > > I think this is the crux of the issue taken with your original post. > > > > Cheers > > Ken > > > > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Micheal Espinola Jr > Sent: Saturday, 3 August 2013 5:00 AM > > > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] man-in-the-middle attack > > > > You're continuing to generalize, ignoring the specifics I was referring to. > > > -- > Espi > > > > > > On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare <scaes...@caesare.com> > wrote: > > Substitute any risk you what in any circumstance you want. > > > > As long as the odds are > 0 then you have to consider mitigating that risk... > it then becomes a matter of cost to do so, the value proposition of which > depends on the potential damage from the event occuring. > > > > How unlikely does an event have to be in order to spend $X on it? > > > > -sc > > > > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Micheal Espinola Jr > Sent: Friday, August 2, 2013 11:40 AM > > > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] man-in-the-middle attack > > > > Again, apples/oranges. I'm speaking of specific circumstance, and I'm not > about to include natural disasters in the debate. You can either choose to > see what I'm saying for what I'm saying, or don't. I'm not generalizing. > I'm speaking of data loss to remote access intrusion. > > > -- > Espi > > > > > > On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare <scaes...@caesare.com> > wrote: > >> The odds dont matter if the risk will result in catastrophic loss to the >> business. > > > > Sure they do. > > > > A meteor that wipes out your facility in North America can be mitigated by > having a completely redundant $50bil factory in Europe. > > > > Are you recommending that? > > > > -sc > > > > > > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Micheal Espinola Jr > Sent: Wednesday, July 31, 2013 7:55 PM > > > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] man-in-the-middle attack > > > > IMO, its a matter of recreational gambling vs. professional (done for a > living) gambling[1]. You know the odds, or you don't - doesn't matter. > What matters is if you can continue to profit from the risk. Will the risk > hurt the continuity of business operations in terms of revenue loss. The > extreme example of this is Russian roulette. > > > > The resulting exposed data in a MitM scenario is unique and has substantial > potential. What is important to monetize here is the loss resulting from a > MitM attack at all levels of remote access for the organization. > > > > The odds dont matter if the risk will result in catastrophic loss to the > business. As someone that has discovered corporate espionage intrusions, > and systematically prevented the loss of future business deals worth > millions of dollars (whose loss would have otherwise collapsed the business) > - I have a specific view of this issue. The only additional info on this > that I will provide is that the intrusion allowed a bidding competitor > access to corporate communications as well as business plans and bidding > documents. My discoveries led to the prevention of a competitor from > staying one step ahead of us in business planning and bidding, and eventual > Federal prosecution of the intruder. > > > > > > 1. I'm not a gambler, but I have known professional gamblers. > > > -- > Espi > > > > > > On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer <k...@kj.net.au> wrote: > >> In any event, the odds are irrelevant - the issue is the business risk of >> intrusion/loss. > > > > How can you say that "odds are irrelevant" if the issue is business risk? > > > > Risk is "potential for loss", and potential includes a weighting for > likelihood (i.e. "the odds")? > > > > Can you clarify what you mean? > > > > Cheers > > Ken > > > > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Micheal Espinola Jr > Sent: Thursday, 1 August 2013 1:43 AM > > > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] man-in-the-middle attack > > > > Odds would be very difficult to extrapolate with any legitimate accuracy, as > you need to know and control the possible environments and habits of your > remote employees. In any event, the odds are irrelevant - the issue is the > business risk of intrusion/loss. > > > -- > Espi > > > > > > On Wed, Jul 31, 2013 at 8:07 AM, David Lum <david....@nwea.org> wrote: > > I need to present management with the odds of this actually getting > exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and > more importantly Safari (iOS devices) out of the mix, so I suspect > management might say "we want compatibility instead of protection from some > obscure attack that is unlikely to happen. > > > > In short, what are the odds of a MITM attack actually happening between my > remote employee and our ADFS server? > > David Lum > Sr. Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764