I can tell you that as good as they are, I have worked on incidents regarding those machines, and don't forget that some 70% of security incidents have an internal component. Then to build on what Doug mentioned, add the cost of remediation, IE: incident response to do the forensics, ensuing investigation to and work with law enforcement or corporate legal should you decide to pursue the incident in criminal or civil court. Ed Hudson Internet Security Systems Emergency Response Services (ERS) [EMAIL PROTECTED]
-----Original Message----- From: Douglas Gullett [mailto:[EMAIL PROTECTED]] Sent: Monday, February 11, 2002 7:01 PM To: [EMAIL PROTECTED] Subject: RE: as/400 Domino I am not a "security wizard" (yet), but I have had some experience in convincing reluctant CEO's and CFO's. I think that the only way to convince management is to show them the $$. Find out what it would cost them to lose their data, or lose their services for X hours. Their CFO should be able to tell you how much the company makes per hour (what they would lose for each hour the system is down), how much each "man-hour" cost, how much data is entered each day, etc. (if not...they REALLY have their heads up their **** and you better run like hell from that mess!) Itemize and list the cost in $$ based on type of loss and how long it would take workers to replace the lost data. Include the cost of retrieving documents from storage, legal expenses, data entry, overtime, etc. Make it into a nice table based on the cost for each type of incidence, from mild to worst case. Then pose this simple question. "Are you willing to gamble $2,500,000.00 (or whatever the amount is) on the possibility that your system is absolutely secure??" Most CEO's and CFO's get their bonuses and keep their jobs, based on the company making money. They will probably have nightmares for weeks! The few thousand that your asking won't seem like so much. Douglas Gullett, CCNA, CCDA, CCNP Savage, MD, USA > This may be a very silly question. But I am desperate for advice from one of > you "security wizards", as I need to convince a client to immediately > evaluate altanative security solutions ASAP, as they are exposing their > internal network to the Internet without a firewall. > > Their argument is that the servers are AS/400 and they claim that the > platform does not have any security holes or vulnerabilities that a > potential hacker could exploit. So they feel they don't need a firewall. > Although I am aware of 2 vulnerabilities on the Domino AS/400 (They are > using DOMINO too) I don't have adequate knowledge and can not site incidents > on hacking the AS/400. > > Any advice, references,links etc --- MUCH MUCH appreciated ! > > Ta > RJ
