|
Security Basics
mailing list archives
Re: Would you bet your life on your security?
From: simon <simon () snosoft com>
Date: Sun, 05 Oct 2003 15:30:58 -0400
Dave,
Prior to testing we define what we would consider to be a real
vulnerability. For example, information leaks that leak critical system
information that could lead to a compromise would be a threat/warning.
Information leaks that leak information about the system time would not
be considered a vulnerability, but rather a notice.
There are four stages, the later three are considered vulnerabilities:
1-) Notice
2-) Warning
3-) Threat
4-) Critical
If anyone wants more information on the way we classify risks feel free
to shoot me a message.
David Gillett wrote:
There's a truism to the effect that the only secure
machine is unusable. So if this outfit has any competence
at all they *will* find vulnerabilities in any useful
network.
The more critical question is, can they find vulnerabilities
that the organization does not consider an acceptable risk
associated with being in business. Since different
organizations have different tolerances for risk, this
may be hard to guess up front -- I doubt they're willing
to bet on THAT.
David Gillett
-----Original Message-----
From: Eric Brown [mailto:ericbrow () ziplip com]
Sent: October 1, 2003 19:04
To: simon; security-basics () securityfocus com
Subject: Re: Would you bet your life on your security?
Hello Simon,
I'm pretty new to security, but this is discouraged by the
ISECOM in their most current Open Source Security Testing
Methodology Manual, p. 18, "2. The offering of free services
for failure to penetrate or provide trophies from the target
is forbidden."
I wouldn't know this if I hadn't just read it though.
Eric
-----Original Message-----
From: simon [mailto:simon () snosoft com]
Sent: Wednesday, October 01, 2003, 4:18 PM
To: security-basics () securityfocus com
Subject: Would you bet your life on your security?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I'm not sure how many of you have had good security
audits in the
recent past so I thought I'd show you this. In summary
Secure Network
Operations, Inc. will do an external security audit of your
network for
approx $1000.00. If they don't find any vulnerabilities,
then the audit
is FREE and they send you a letter of validation. If they do find
vulnerabilities, then they charge you and send you a formal
report that
details their finds and grades your network.
Given some of the new laws that have been passed this
seems like a
pretty good service and a VERY cheap way to validate your companies
security. Secure Network Operations also has a flawless
track record and
has the references to prove it.
Why do I think this is a good idea? Well, the California
identity theft
law (Civil Code 1798.82),The new federal banking
regulations are two
reasons. They both make disclosure of a compromise
MANDITORY. You need
to tell ALL of your clients, by law, that you have been
compromised and
that their identities may have been stolen.
So anyway, I'll shut up. For those of you that are
interested check out
the link below. For those of you that arent, I'm just
trying to help
people out so don't flame me or I'll /dev/null your mail.
http://www.secnetops.com/pesa-form_html.html
Their web site is: http://www.secnetops.com
- --
Regards,
-simon-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6
0kewAu0Xz4t6+F5Px6kfKc8=
=9AWM
-----END PGP SIGNATURE-----
--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------
To do is to be. -Socrates
To be is to do. -Satre
Do be do be do. -Sinatra
--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
