RE: [NTSysADM] man-in-the-middle attack
Seeing as how you are obviously referring to me, allow me to ask: Given that I responded to your _SPECIFIC_ point about this being a MTIM attack (quoted below for you convenience), why your subsequent dismissive response? -sc (quotation follows) The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Tuesday, August 6, 2013 1:19 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack My whatev was a sarcastic reply to someone I have known online for years. Like I said, I'm not repeating myself. You see the point, or you dont. Some people do (as reflected by offline communications), and some people don't. This is a matter of choosing to or not. I'm not going to try to change your theology on risk management. But I will state /one last time/, that my opinion on this reflects a specific scenario and is not a generalization of risk assessment as many have tried to infer. And with that, if nothing new is introduced, I'm archiving this thread. -- Espi On Tue, Aug 6, 2013 at 9:10 AM, Lora Cates lora.ca...@rocketmail.com wrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the specifics you're referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity
Re: [NTSysADM] man-in-the-middle attack
Hey Lora, I have a side bet going that you can help me with if you please. Are you really -sc? - WJR On Tue, Aug 6, 2013 at 11:10 AM, Lora Cates lora.ca...@rocketmail.comwrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the “specifics” you’re referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us
Re: [NTSysADM] man-in-the-middle attack
My point was to what data was remotely accessible. -- Espi On Tue, Aug 6, 2013 at 10:33 AM, Steven M. Caesare scaes...@caesare.comwrote: Seeing as how you are obviously referring to me, allow me to ask: ** ** Given that I responded to your _*SPECIFIC*_ point about this being a MTIM attack (quoted below for you convenience), why your subsequent dismissive response? ** ** -sc ** ** (quotation follows) ** ** “ The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage.” ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Tuesday, August 6, 2013 1:19 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** My whatev was a sarcastic reply to someone I have known online for years. Like I said, I'm not repeating myself. You see the point, or you dont. Some people do (as reflected by offline communications), and some people don't. This is a matter of choosing to or not. I'm not going to try to change your theology on risk management. But I will state /one last time/, that my opinion on this reflects a specific scenario and is not a generalization of risk assessment as many have tried to infer. ** ** And with that, if nothing new is introduced, I'm archiving this thread.*** * -- Espi ** ** On Tue, Aug 6, 2013 at 9:10 AM, Lora Cates lora.ca...@rocketmail.com wrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. ** ** Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the “specifics” you’re referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad
RE: [NTSysADM] man-in-the-middle attack
And as pointed out, that's not the only risk for which like data is remotely accessible. Thus responses (from multiple people_ regarding odds are as applicable to your scenario as others. It's a germane point. Yet you simply dismiss it rather than discussing on its merits. Thus my question: why do so? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Tuesday, August 6, 2013 2:58 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack My point was to what data was remotely accessible. -- Espi On Tue, Aug 6, 2013 at 10:33 AM, Steven M. Caesare scaes...@caesare.com wrote: Seeing as how you are obviously referring to me, allow me to ask: Given that I responded to your _SPECIFIC_ point about this being a MTIM attack (quoted below for you convenience), why your subsequent dismissive response? -sc (quotation follows) The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Tuesday, August 6, 2013 1:19 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack My whatev was a sarcastic reply to someone I have known online for years. Like I said, I'm not repeating myself. You see the point, or you dont. Some people do (as reflected by offline communications), and some people don't. This is a matter of choosing to or not. I'm not going to try to change your theology on risk management. But I will state /one last time/, that my opinion on this reflects a specific scenario and is not a generalization of risk assessment as many have tried to infer. And with that, if nothing new is introduced, I'm archiving this thread. -- Espi On Tue, Aug 6, 2013 at 9:10 AM, Lora Cates lora.ca...@rocketmail.com wrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the specifics you're referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic
Re: [NTSysADM] man-in-the-middle attack
Apparently my attempt at humor was poorly timed. (again) My apologies. Carry on with your regular duties. - WJR On Tue, Aug 6, 2013 at 1:31 PM, William Robbins dangerw...@gmail.comwrote: Hey Lora, I have a side bet going that you can help me with if you please. Are you really -sc? - WJR On Tue, Aug 6, 2013 at 11:10 AM, Lora Cates lora.ca...@rocketmail.comwrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the “specifics” you’re referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.** myitforum.com listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide
Re: [NTSysADM] man-in-the-middle attack
I figured poor timing was your regular duty. -lc From: William Robbins dangerw...@gmail.com To: ntsysadm@lists.myitforum.com Sent: Tuesday, August 6, 2013 2:18 PM Subject: Re: [NTSysADM] man-in-the-middle attack Apparently my attempt at humor was poorly timed. (again) My apologies. Carry on with your regular duties. - WJR On Tue, Aug 6, 2013 at 1:31 PM, William Robbins dangerw...@gmail.com wrote: Hey Lora, I have a side bet going that you can help me with if you please. Are you really -sc? - WJR On Tue, Aug 6, 2013 at 11:10 AM, Lora Cates lora.ca...@rocketmail.com wrote: I find it interesting that there are several folks, myself included, that fail to see your point, yet when pressed for details on specific points you reply with the deeply insightful Whatev. and now declare the conversation ended so you are taking your ball and going home. Are you just unwilling to explain yourself, or unable? -lc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Monday, August 5, 2013 8:35 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess you either see my specific point or you don't. I stated it, and I'm not one to engage in arguments were I just repeat myself because people are choosing to ignore, overlook, or simply disregard my point. If you don't agree, don't, and move on. If you dont know what my specifics were, then I dont know what to tell you - other than, I guess reread the emails. In any event, I'm no longer interested in this topic of conversation, since it stopped actually being one many replies back. -- Espi On Mon, Aug 5, 2013 at 5:16 PM, Ken Schaefer k...@kj.net.au wrote: What are the characteristics of the “specifics” you’re referring to that make a general analysis not applicable? I think this is the crux of the issue taken with your original post. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Saturday, 3 August 2013 5:00 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate
Re: [NTSysADM] man-in-the-middle attack
Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.comwrote: The odds dont matter if the risk will result in catastrophic loss to the business. ** ** Sure they do. ** ** A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. ** ** Are you recommending that? ** ** -sc ** ** ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Wednesday, July 31, 2013 7:55 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. ** ** The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. ** ** The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. ** ** ** ** 1. I'm not a gambler, but I have known professional gamblers. -- Espi ** ** On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ** **
RE: [NTSysADM] man-in-the-middle attack
Yeah, but what are the odds of THAT??! Oh.. wait... -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Maglinger, Paul Sent: Friday, August 2, 2013 11:36 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack Depending on the size of the meteor you might want to build that factory on Mars. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Steven M. Caesare Sent: Friday, August 02, 2013 8:54 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that odds are irrelevant if the issue is business risk? Risk is potential for loss, and potential includes a weighting for likelihood (i.e. the odds)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
Re: [NTSysADM] man-in-the-middle attack
I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.comwrote: Substitute any risk you what in any circumstance you want. ** ** As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. ** ** How unlikely does an event have to be in order to spend $X on it? ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 2, 2013 11:40 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi ** ** On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Wednesday, July 31, 2013 7:55 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ** **
RE: [NTSysADM] man-in-the-middle attack
Well given that it's occurrence is a 100% certainty, I didn't think that it really was fair to consider there being odds of it's happening... -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 2, 2013 2:27 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that odds are irrelevant if the issue is business risk? Risk is potential for loss, and potential includes a weighting for likelihood (i.e. the odds)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
Re: [NTSysADM] man-in-the-middle attack
Touché. ;) - WJR On Fri, Aug 2, 2013 at 1:31 PM, Steven M. Caesare scaes...@caesare.comwrote: Well given that it’s occurrence is a 100% certainty, I didn’t think that it really was fair to consider there being “odds” of it’s happening… ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *William Robbins *Sent:* Friday, August 2, 2013 2:27 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** I notice there's been no mention of the coming zombie apocalypse. - WJR ** ** On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 2, 2013 11:40 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Wednesday, July 31, 2013 7:55 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually
RE: [NTSysADM] man-in-the-middle attack
And that's already mitigated by the cases of ammo being stockpiled! John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, Security+ VSP4, VTSP4 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Steven M. Caesare Sent: Friday, August 02, 2013 2:32 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack Well given that it's occurrence is a 100% certainty, I didn't think that it really was fair to consider there being odds of it's happening... -sc From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 2, 2013 2:27 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.commailto:scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.commailto:scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that odds are irrelevant if the issue is business risk? Risk is potential for loss, and potential includes a weighting for likelihood (i.e. the odds)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate
Re: [NTSysADM] man-in-the-middle attack
Indeed! © - WJR On Fri, Aug 2, 2013 at 1:29 PM, John Cook john.c...@pfsf.org wrote: And that’s already mitigated by the cases of ammo being stockpiled! *John W. Cook* *Network Operations Manager* *Partnership For Strong Families* *5950 NW 1st Place* *Gainesville, Fl 32607* *Office (352) 244-1610* *Cell (352) 215-6944* *MCSE, MCP+I, MCTS,* *CompTIA A+, N+, Security+* *VSP**4, VTSP4* *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Steven M. Caesare *Sent:* Friday, August 02, 2013 2:32 PM *To:* ntsysadm@lists.myitforum.com *Subject:* RE: [NTSysADM] man-in-the-middle attack Well given that it’s occurrence is a 100% certainty, I didn’t think that it really was fair to consider there being “odds” of it’s happening… -sc *From:* listsad...@lists.myitforum.com [ mailto:listsad...@lists.myitforum.com listsad...@lists.myitforum.com] *On Behalf Of *William Robbins *Sent:* Friday, August 2, 2013 2:27 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 2, 2013 11:40 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Wednesday, July 31, 2013 7:55 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds
Re: [NTSysADM] man-in-the-middle attack
You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.comwrote: Substitute any risk you what in any circumstance you want. ** ** As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. ** ** How unlikely does an event have to be in order to spend $X on it? ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 2, 2013 11:40 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi ** ** On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Wednesday, July 31, 2013 7:55 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ** **
Re: [NTSysADM] man-in-the-middle attack
I’m not sure that a ZitM attack is one that is going to involve computer security. From: Steven M. Caesare Sent: Friday, August 02, 2013 1:31 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack Well given that it’s occurrence is a 100% certainty, I didn’t think that it really was fair to consider there being “odds” of it’s happening… -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 2, 2013 2:27 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what
RE: [NTSysADM] man-in-the-middle attack
You're continuing to generalize, ignoring the specifics I was referring to. Well we can't have that! IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. Estimating risk vs. cost in a professional situation is indeed gambling in a professional environment, regardless if one to chooses to refer to it as that. You know the odds, or you don't - doesn't matter. Most often such things are not absolutely knowable. The more information you have, the closer you can estimate. Not having sufficient information is itself a risk you must factor in. This is shy many security alerts include severity levels with them. Please substantiate your assertions that this does not matter. What matters is if you can continue to profit from the risk. This statement seems to not make sense. By its very nature, a risk to business is generally not something you profit from. I suspect you meant something else. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. This is part if the impact analysis. I'll note that your very own example of Russian roulette typically involves odds... most often 1 in 6. Despite its catastrophic impact, I suspect you'd feel differently about playing it if the odds were 1:1,000,000 (see also: taking a plane flight) The resulting exposed data in a MitM scenario is unique and has substantial potential. Why is this unique as compared to something like the VPN algorithm itself being compromised allowing the same level of remote access in to your org? Both have the same potential for damage. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. Impact analysis again. Applied to a specific attack vector. There are other avenues to gain remote access to an org: hardware backdoors, compromised internal machines, faulty wireless implementations, etc... The odds dont matter if the risk will result in catastrophic loss to the business. Typically risk mitigation strategies have a cost attached to them. If spending more than the business is worth in mitigating every risk with a factor ratio 0 bankrupts the business, then the results have been equally catastrophic. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) What if the mitigation cost was $10's of millions? - I have a specific view of this issue. That's what we've been telling you. J -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 3:00 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack You're continuing to generalize, ignoring the specifics I was referring to. -- Espi On Fri, Aug 2, 2013 at 11:23 AM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk... it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario
RE: [NTSysADM] man-in-the-middle attack
nice From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Chenault Sent: Friday, August 2, 2013 2:15 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I’m not sure that a ZitM attack is one that is going to involve computer security. [Smile] From: Steven M. Caesaremailto:scaes...@caesare.com Sent: Friday, August 02, 2013 1:31 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack Well given that it’s occurrence is a 100% certainty, I didn’t think that it really was fair to consider there being “odds” of it’s happening… -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 2, 2013 2:27 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.commailto:scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.commailto:scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible
Re: [NTSysADM] man-in-the-middle attack
On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.comwrote: That’s what we’ve been telling you. J Whatev. -- Espi
RE: [NTSysADM] man-in-the-middle attack
What were the odds of THAT reply?!? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 02, 2013 4:03 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That's what we've been telling you. J Whatev. -- Espi
Re: [NTSysADM] man-in-the-middle attack
For you? 100% -- Espi On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.comwrote: What were the odds of THAT reply?!? ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 4:03 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** ** ** On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That’s what we’ve been telling you. J Whatev. -- Espi
RE: [NTSysADM] man-in-the-middle attack
Hold, on... I'm trying to figure out what it'll take to mitigate the risk of damages. -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 02, 2013 6:37 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack For you? 100% -- Espi On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 02, 2013 4:03 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That's what we've been telling you. J Whatev. -- Espi
Re: [NTSysADM] man-in-the-middle attack
A soothing balm? - WJR On Fri, Aug 2, 2013 at 6:16 PM, Steven M. Caesare scaes...@caesare.comwrote: Hold, on… I’m trying to figure out what it’ll take to mitigate the risk of damages. ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 6:37 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** For you? 100% -- Espi ** ** On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 4:03 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That’s what we’ve been telling you. J Whatev. -- Espi ** **
RE: [NTSysADM] man-in-the-middle attack
I see the error of my ways... I instead should have been calculating the odds of receiving a response commensurate with addressing the specifics [he] was referring to. Those clearly were very lng odds. Silly me. -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 02, 2013 7:21 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack A soothing balm? - WJR On Fri, Aug 2, 2013 at 6:16 PM, Steven M. Caesare scaes...@caesare.com wrote: Hold, on... I'm trying to figure out what it'll take to mitigate the risk of damages. -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 02, 2013 6:37 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack For you? 100% -- Espi On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 02, 2013 4:03 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That's what we've been telling you. J Whatev. -- Espi
Re: [NTSysADM] man-in-the-middle attack
Don't you have a bottle of Scotch to acquire? [image: Inline image 1] - WJR On Fri, Aug 2, 2013 at 6:27 PM, Steven M. Caesare scaes...@caesare.comwrote: I see the error of my ways… I instead should have been calculating the odds of receiving a response commensurate with addressing “the specifics [he] was referring to.” ** ** Those clearly were very lng odds. ** ** Silly me. ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *William Robbins *Sent:* Friday, August 02, 2013 7:21 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** A soothing balm? - WJR ** ** On Fri, Aug 2, 2013 at 6:16 PM, Steven M. Caesare scaes...@caesare.com wrote: Hold, on… I’m trying to figure out what it’ll take to mitigate the risk of damages. -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 6:37 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack For you? 100% -- Espi On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 4:03 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That’s what we’ve been telling you. J Whatev. -- Espi ** **
Re: [NTSysADM] man-in-the-middle attack
Compare it to something ridiculously catastrophic. That should give you some ideas. -- Espi On Fri, Aug 2, 2013 at 4:16 PM, Steven M. Caesare scaes...@caesare.comwrote: Hold, on… I’m trying to figure out what it’ll take to mitigate the risk of damages. ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 6:37 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** For you? 100% -- Espi ** ** On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 4:03 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That’s what we’ve been telling you. J Whatev. -- Espi ** **
Re: [NTSysADM] man-in-the-middle attack
Heh. - WJR On Fri, Aug 2, 2013 at 6:50 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: [image: Inline image 1] -- Espi On Fri, Aug 2, 2013 at 4:21 PM, William Robbins dangerw...@gmail.comwrote: A soothing balm? - WJR On Fri, Aug 2, 2013 at 6:16 PM, Steven M. Caesare scaes...@caesare.comwrote: Hold, on… I’m trying to figure out what it’ll take to mitigate the risk of damages. ** ** -sc ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 6:37 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** For you? 100% -- Espi ** ** On Fri, Aug 2, 2013 at 2:58 PM, Steven M. Caesare scaes...@caesare.com wrote: What were the odds of THAT reply?!? -sc *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Friday, August 02, 2013 4:03 PM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack On Fri, Aug 2, 2013 at 12:27 PM, Steven M. Caesare scaes...@caesare.com wrote: That’s what we’ve been telling you. J Whatev. -- Espi ** **
RE: [NTSysADM] man-in-the-middle attack
No they seem to be starting with cell phones. http://qz.com/36/zombie-phones-are-eating-up-your-telecomm-budget/ Jon From: dani...@hotmail.com To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Date: Fri, 2 Aug 2013 14:14:30 -0500 I’m not sure that a ZitM attack is one that is going to involve computer security. From: Steven M. Caesare Sent: Friday, August 02, 2013 1:31 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack Well given that it’s occurrence is a 100% certainty, I didn’t think that it really was fair to consider there being “odds” of it’s happening… -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of William Robbins Sent: Friday, August 2, 2013 2:27 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I notice there's been no mention of the coming zombie apocalypse. - WJR On Fri, Aug 2, 2013 at 1:23 PM, Steven M. Caesare scaes...@caesare.com wrote: Substitute any risk you what in any circumstance you want. As long as the odds are 0 then you have to consider mitigating that risk… it then becomes a matter of cost to do so, the value proposition of which depends on the potential damage from the event occuring. How unlikely does an event have to be in order to spend $X on it? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Friday, August 2, 2013 11:40 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Again, apples/oranges. I'm speaking of specific circumstance, and I'm not about to include natural disasters in the debate. You can either choose to see what I'm saying for what I'm saying, or don't. I'm not generalizing. I'm speaking of data loss to remote access intrusion. -- Espi On Fri, Aug 2, 2013 at 6:53 AM, Steven M. Caesare scaes...@caesare.com wrote: The odds dont matter if the risk will result in catastrophic loss to the business. Sure they do. A meteor that wipes out your facility in North America can be mitigated by having a completely redundant $50bil factory in Europe. Are you recommending that? -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Wednesday, July 31, 2013 7:55 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds
Re: [NTSysADM] man-in-the-middle attack
Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature. -- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer k...@kj.net.au wrote: Of course odds are important. ** ** Do you protect yourself against meteorite strike? That would result in catastrophic business loss. By your argument, “The odds dont matter if the risk will result in catastrophic loss to the business.:” Most people don’t because the **odds* *very low, even though the potential impact is high. ** ** Usually, most risk people use some weighted “probability of event” multiplied by “consequences of event” to determine a risk profile. ** ** e.g. ** ** 100% chance of losing $10 = 10 points 1% chance of losing $100 = 1 point ** ** The former event, even though the impact will cost you less if it eventuates, is of much more concern to risk managers. Weighting might be applied to “outlier” events (e.g. those of very high consequences) ** ** Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. ** ** Cheers Ken ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 9:55 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. ** ** The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. ** ** The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. ** ** ** ** 1. I'm not a gambler, but I have known professional gamblers. -- Espi ** ** On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell
RE: [NTSysADM] man-in-the-middle attack
We refer to that as the smoking hole scenario. Off-site backups/ remote DR datacenter is the defense. I agree with you though, there is no black and white, quite often C-level management wants to believe it's that simple for the sake of CYA. John W. Cook Network Operations Manager Partnership for Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Cell 352-215-6944 Office 352-244-1610 MCSE, MCTS, CompTIA A+, N+, VSP4, VTSP4 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, August 01, 2013 9:32 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature. -- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au wrote: Of course odds are important. Do you protect yourself against meteorite strike? That would result in catastrophic business loss. By your argument, The odds dont matter if the risk will result in catastrophic loss to the business.: Most people don't because the *odds* very low, even though the potential impact is high. Usually, most risk people use some weighted probability of event multiplied by consequences of event to determine a risk profile. e.g. 100% chance of losing $10 = 10 points 1% chance of losing $100 = 1 point The former event, even though the impact will cost you less if it eventuates, is of much more concern to risk managers. Weighting might be applied to outlier events (e.g. those of very high consequences) Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. Cheers Ken From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 9:55 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that odds are irrelevant if the issue is business risk? Risk is potential for loss, and potential includes a weighting for likelihood (i.e. the odds)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.orgmailto:david
Re: [NTSysADM] man-in-the-middle attack
I guess I'm not articulating well this early in the morning (only on a 1/2 cup of coffee so far), but I do understand Ken's point and would in other situations agree with it - but not in terms of remote access risks. -- Espi On Thu, Aug 1, 2013 at 6:42 AM, Andrew S. Baker asbz...@gmail.com wrote: I think you missed Ken's point, Micheal. For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. His last paragraph is instructive here: Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. As to the original question of In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? I would respond that there is insufficient information in the thread thus far to actually answer that question. David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? Regards, *ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker* **Providing Virtual CIO Services (IT Operations Information Security) for the SMB market…*** On Thu, Aug 1, 2013 at 9:32 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature. -- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer k...@kj.net.au wrote: Of course odds are important. ** ** Do you protect yourself against meteorite strike? That would result in catastrophic business loss. By your argument, “The odds dont matter if the risk will result in catastrophic loss to the business.:” Most people don’t because the **odds* *very low, even though the potential impact is high. ** ** Usually, most risk people use some weighted “probability of event” multiplied by “consequences of event” to determine a risk profile. ** ** e.g. ** ** 100% chance of losing $10 = 10 points 1% chance of losing $100 = 1 point ** ** The former event, even though the impact will cost you less if it eventuates, is of much more concern to risk managers. Weighting might be applied to “outlier” events (e.g. those of very high consequences) ** ** Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. ** ** Cheers Ken ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 9:55 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. ** ** The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. ** ** The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. ** ** ** ** 1. I'm not a gambler, but I have known professional gamblers. -- Espi ** ** On Wed, Jul 31, 2013 at 4:05
Re: [NTSysADM] man-in-the-middle attack
I see it as a matter of severity. Malware attacks are, as you say, extremely common. They are also fairly easy to guard against (assuming the users do what they are told ahem) and even at that the majority are more annoying than threatening. The cost to guard against them ranges from very cheap (free SpyBot or Ad-Aware) to blocking at the firewall or using a content proxy. From what was said in the first post the inconvenience in this solution of guarding against a MitM attack is that some users have to give up using their browser of choice. If that’s the only problem with the solution I say move forward; a handful of stalwart Safari users should not be able to hold the company’s security hostage. And if it’s a titled person doing it he’s doing the company a disservice. But in deference to your management that likes things categorized, labeled, enumerated and fully known to the nth degree so a dollar cost per percentage of likelihood can be attached... there is no answer. Not all MitM attacks are reported but rather handled quietly. How many security issues have you run into over the years (up to and maybe including MitM)? How many did you write up and report in such a way that some future person could look up statistics based on the aggregate of such occurrences including yours? Zero, right? Unless the reporting was actually part of your job description or there was something unique or interesting about the attack you just handled it and moved on like the rest of us do as we juggle umpty-hundred issues in a given time frame. The statistics are not available no matter how much your management may want it otherwise; the decision has to be made based on the consequences of the attack rather than the likelihood of it. Said consequences are potentially highly severe and injurious to the company. As someone else pointed out – the consequence of a MitM can and does include compromising network security to the point where the CFO’s workstation could be burglarized; account numbers and passwords - wouldn’t that be lovely? The overhead of accomplishing a successful MitM attack means the attacker’s intent is something a good deal more serious than a piece of malware that steals the user’s home page; don’t let management suck you into that apples to grapes comparison. Again, if the only objection to the solution is a handful of obstinate users those users can go pound sand. I have never experienced a kitchen fire but always have a fire extinguisher available. I don’t care what the odds are of it happening; I do not wish to deal with the consequences of not being prepared for one. Keeping a fire extinguisher available is a small price to pay for preparedness. S*** happens; the wise man always keeps a roll of TP handy rather than weigh the odds of it happening at the wrong time and not carry a roll. From: David Lum Sent: Thursday, August 01, 2013 9:28 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack What I mean is the inconvenience of increased security work the risk? An extreme example is “computers can get infected via the Internet…let’s disconnect from the Internet”. The risk of one of 500 systems getting malware from the Internet over any six month span is almost 100%, but the loss of business exceeds the most likely losses from being hit by malware. If a specific attack happens only once per 100,000,000 businesses in a six month span (I have no clue on MITM, Googling “business exploited by man-in-the-middle” only returns how serious it is but I am unable to find actual examples), is it worth worrying about? It’s like hearing Diet Coke “it’s so bad for you it can kill you instantly”, but not having any actual examples to back it up. I’m not saying I don’t want to do this, but if management asks how likely it is to get exploited I’d like to give them *something*. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ken Schaefer Sent: Wednesday, July 31, 2013 4:06 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] man-in-the-middle attack In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that “odds are irrelevant” if the issue is business risk? Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss
Re: [NTSysADM] man-in-the-middle attack
*What is the most common way to initiate a MITM attack? Phishing e-mail with a link?* That would depend entirely on the technologies involved. You could wait in the right place, you could phish to get in the right place, you could spoof or poison DNS to send the users to the right place... You really need to focus your risk mitigation on specific, credible threats that you wish to address, and then determine if it is worth it for any particular mitigation approach. Otherwise, not only might you miss low hanging fruit that is less sexy, but more damaging in the aggregate, you might end up spending $100K to prevent a loss of $50K *ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker* **Providing Virtual CIO Services (IT Operations Information Security) for the SMB market…*** On Thu, Aug 1, 2013 at 10:43 AM, David Lum david@nwea.org wrote: Oh hey, maybe I should get caught up in the tread before replying… ** ** **· **Remote user goes to ADFS to leverage SSO to get to 3rdparty for travel expenses, etc. which includes entering credit card data **· **Focus on MITM because the discussion became centered around TLS 1.2 after I requested to turn off Extended Protection in IIS7 ( http://support.microsoft.com/kb/973917/en-us) which is only supported by IE **· **See bullet 1 ** ** What is the most common way to initiate a MITM attack? Phishing e-mail with a link? ** ** Dave ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Andrew S. Baker *Sent:* Thursday, August 01, 2013 6:43 AM *To:* ntsysadm *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** I think you missed Ken's point, Micheal. ** ** For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. ** ** His last paragraph is instructive here: ** ** Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. ** ** ** ** As to the original question of In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? ** ** I would respond that there is insufficient information in the thread thus far to actually answer that question. ** ** David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? ** ** Regards, *ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker* **Providing Virtual CIO Services (IT Operations Information Security) for the SMB market…* ** **
RE: [NTSysADM] man-in-the-middle attack
Why are remote access risks any different from any other type of risk? They all cause consequences. Surely it's the consequences that are important, not the manner of delivery. The manner of delivery is important in determining the mitigation/management steps, but it's the overall consequence that determines how much attention you need to pay to it. Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 11:54 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack I guess I'm not articulating well this early in the morning (only on a 1/2 cup of coffee so far), but I do understand Ken's point and would in other situations agree with it - but not in terms of remote access risks. -- Espi On Thu, Aug 1, 2013 at 6:42 AM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: I think you missed Ken's point, Micheal. For any given scenario, the likelihood of it happening has to be considered AS WELL AS (not independently of) the consequences if it happens. His last paragraph is instructive here: Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. As to the original question of In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? I would respond that there is insufficient information in the thread thus far to actually answer that question. David's question begs a few questions from me: -- How are the ADFS servers being used as relates to these remote devices? -- Why the focus on man-in-the-middle attacks? (Is this the only perceived risk of remote and mobile systems?) -- What apps will the users be accessing after authentication? Regards, ASB http://XeeMe.com/AndrewBakerhttp://xeeme.com/AndrewBaker Providing Virtual CIO Services (IT Operations Information Security) for the SMB market... On Thu, Aug 1, 2013 at 9:32 AM, Micheal Espinola Jr michealespin...@gmail.commailto:michealespin...@gmail.com wrote: Nothing is absolute, black and white, yadda yadda yadda - I'm not speaking to every aspect of life or daily routine; I'm referring to the OP issue of remote access and what information is accessible remotely. I also think the meteor strike example is a bit extreme and out of scope for both our viewpoints. I understand what you are trying suggest, but there is little/nothing we can do to predict of defend against such acts of nature. -- Espi On Thu, Aug 1, 2013 at 1:59 AM, Ken Schaefer k...@kj.net.aumailto:k...@kj.net.au wrote: Of course odds are important. Do you protect yourself against meteorite strike? That would result in catastrophic business loss. By your argument, The odds dont matter if the risk will result in catastrophic loss to the business.: Most people don't because the *odds* very low, even though the potential impact is high. Usually, most risk people use some weighted probability of event multiplied by consequences of event to determine a risk profile. e.g. 100% chance of losing $10 = 10 points 1% chance of losing $100 = 1 point The former event, even though the impact will cost you less if it eventuates, is of much more concern to risk managers. Weighting might be applied to outlier events (e.g. those of very high consequences) Using your method results in too much attention being paid to extreme events, and inadequate supervision of more mundane, even boring, events that result in small losses. Except lots of small losses can be just as crippling to a business. Cheers Ken From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 9:55 AM To: ntsysadm@lists.myitforum.commailto:ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business
[NTSysADM] man-in-the-middle attack
I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
Re: [NTSysADM] man-in-the-middle attack
1. It doesn’t matter what the odds are. When it happens the odds go to 100% making all the previous discussion moot. 2. Chrome and Safari have alternatives so what is the key point here? To keep the network secure or cater to a small group of users who obstinately refuse to give up their browser of choice? Is it management’s intent to hold corporate network security hostage to this small group of users? From: David Lum Sent: Wednesday, July 31, 2013 10:07 AM To: NTSysADM@lists.myITforum.com Subject: [NTSysADM] man-in-the-middle attack I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
RE: [NTSysADM] man-in-the-middle attack
Well sure it does. In a business there should always be a risk/cost analysis. Part of that is assessing the risk.. and that includes odds incorporating any mitigating factors. -sc From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Chenault Sent: Wednesday, July 31, 2013 11:25 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack 1. It doesn’t matter what the odds are. When it happens the odds go to 100% making all the previous discussion moot. 2. Chrome and Safari have alternatives so what is the key point here? To keep the network secure or cater to a small group of users who obstinately refuse to give up their browser of choice? Is it management’s intent to hold corporate network security hostage to this small group of users? From: David Lum mailto:david@nwea.org Sent: Wednesday, July 31, 2013 10:07 AM To: NTSysADM@lists.myITforum.com Subject: [NTSysADM] man-in-the-middle attack I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
Re: [NTSysADM] man-in-the-middle attack
Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. ** ** In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ** **
Re: [NTSysADM] man-in-the-middle attack
I don't know how you'd calculate those odds, but I do know that if it happens, it will come at the worst possible time. That's the nature of these things. My thought: How hard is it to install FireFox on iOS devices? Kurt On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
Re: [NTSysADM] man-in-the-middle attack
According to this, you have options for TLS 1.2 support: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers You made is sound like iOS support is a critical feature for you. It's noted that the iOS version of Safari 5 does infact support TLS 1.2. Otherwise, wait for Chrome 29 (releases happen every few weeks). As for man in the middle attacks, are your remote users using VPN? Or are you depending on TLS to provide your encryption? --Matt Ross Ephrata School District - Original Message - From: David Lum [mailto:david@nwea.org] To: NTSysADM@lists.myITforum.com [mailto:NTSysADM@lists.myITforum.com] Sent: Wed, 31 Jul 2013 08:07:04 -0800 Subject: [NTSysADM] man-in-the-middle attack I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764
RE: [NTSysADM] man-in-the-middle attack
In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. How can you say that odds are irrelevant if the issue is business risk? Risk is potential for loss, and potential includes a weighting for likelihood (i.e. the odds)? Can you clarify what you mean? Cheers Ken From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr Sent: Thursday, 1 August 2013 1:43 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] man-in-the-middle attack Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.orgmailto:david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I'd want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229tel:503.548.5229 // Cell (voice/text) 503.267.9764tel:503.267.9764
Re: [NTSysADM] man-in-the-middle attack
IMO, its a matter of recreational gambling vs. professional (done for a living) gambling[1]. You know the odds, or you don't - doesn't matter. What matters is if you can continue to profit from the risk. Will the risk hurt the continuity of business operations in terms of revenue loss. The extreme example of this is Russian roulette. The resulting exposed data in a MitM scenario is unique and has substantial potential. What is important to monetize here is the loss resulting from a MitM attack at all levels of remote access for the organization. The odds dont matter if the risk will result in catastrophic loss to the business. As someone that has discovered corporate espionage intrusions, and systematically prevented the loss of future business deals worth millions of dollars (whose loss would have otherwise collapsed the business) - I have a specific view of this issue. The only additional info on this that I will provide is that the intrusion allowed a bidding competitor access to corporate communications as well as business plans and bidding documents. My discoveries led to the prevention of a competitor from staying one step ahead of us in business planning and bidding, and eventual Federal prosecution of the intruder. 1. I'm not a gambler, but I have known professional gamblers. -- Espi On Wed, Jul 31, 2013 at 4:05 PM, Ken Schaefer k...@kj.net.au wrote: In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. ** ** How can you say that “odds are irrelevant” if the issue is business risk? ** ** Risk is “potential for loss”, and potential includes a weighting for likelihood (i.e. “the odds”)? ** ** Can you clarify what you mean? ** ** Cheers Ken ** ** *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Micheal Espinola Jr *Sent:* Thursday, 1 August 2013 1:43 AM *To:* ntsysadm@lists.myitforum.com *Subject:* Re: [NTSysADM] man-in-the-middle attack ** ** Odds would be very difficult to extrapolate with any legitimate accuracy, as you need to know and control the possible environments and habits of your remote employees. In any event, the odds are irrelevant - the issue is the business risk of intrusion/loss. -- Espi ** ** On Wed, Jul 31, 2013 at 8:07 AM, David Lum david@nwea.org wrote: I need to present management with the odds of this actually getting exploited, as I’d want to force TLS 1.2 for ADFS but that takes Chrome and more importantly Safari (iOS devices) out of the mix, so I suspect management might say “we want compatibility instead of protection from some obscure attack that is unlikely to happen. In short, what are the odds of a MITM attack actually happening between my remote employee and our ADFS server? *David Lum* Sr. Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ** **