Yes, it is certainly true that you must prove that the cost of recovering a
compromised network is TREMENDOUS, to your upper management. The only problems that
we face
with network security is that there is no sound way to quantify what measures to
protect a network will succeed. Be careful when you present to your upper management
the
suggestion that spending 40k, will save 100k in the future.
Any network security specialist knows that no matter what measures are taken to
protect their network, they must cover every possible hole/exploit where an attacker
need
only find one. With the complexity of computer systems, it is nearly impossible to do
this, and this should be made well known to management. You must remember that it is
difficult to detect new attacks, since most of these are not incorporated into IDS's,
Firewalls, etc. In the end, the potential still exists that you may spend xx $$ on
security measures and still have your network compromised by an attacker costing an
additional sum of money. The key to point out to management would be that the
potential
is significantly reduced, but who knows how to quantify this into a tangible metric.
Luckily network security has been given much attention (PPD 63, Clinton's CIP, DDOS
attacks, etc.). Thus you have some "scare tactics" to bring to bat when this is
important.
Not to ramble further, but it is sad to point out that an overwhelming majority of
attacks are generated on the inside. It is here that Firewalls, Proxies, and general
measures usually fail completely, and these insiders may even have the passwords to
your security gear. I would make this known to management too, just don't make it look
so hopeless where management would come to the realization that it may cost too much,
and that the risk may be worthwhile.
Geoff Gates
Network Engineer
Lockheed Martin, NE&SS
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
