Security Basics: RE: Would you bet your life on your security?

["David Gillett" <gillettdavid () fhda edu>]

  There's a truism to the effect that the only secure
machine is unusable.  So if this outfit has any competence
at all they *will* find vulnerabilities in any useful
network.
  The more critical question is, can they find vulnerabilities 
that the organization does not consider an acceptable risk
associated with being in business.  Since different
organizations have different tolerances for risk, this
may be hard to guess up front -- I doubt they're willing
to bet on THAT.

David Gillett


> -----Original Message-----
> From: Eric Brown [mailto:ericbrow () ziplip com]
> Sent: October 1, 2003 19:04
> To: simon; security-basics () securityfocus com
> Subject: Re: Would you bet your life on your security?
>
>
> Hello Simon,
>
> I'm pretty new to security, but this is discouraged by the 
> ISECOM in their most current Open Source Security Testing 
> Methodology Manual, p. 18, "2. The offering of free services 
> for failure to penetrate or provide trophies from the target 
> is forbidden." 
>
> I wouldn't know this if I hadn't just read it though.  
> Eric
>
> > -----Original Message-----
> > From: simon [mailto:simon () snosoft com]
> > Sent: Wednesday, October 01, 2003, 4:18 PM
> > To: security-basics () securityfocus com
> > Subject: Would you bet your life on your security?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > All,
> >     I'm not sure how many of you have had good security 
> audits in the 
> > recent past so I thought I'd show you this. In summary 
> Secure Network 
> > Operations, Inc. will do an external security audit of your 
> network for 
> > approx $1000.00.  If they don't find any vulnerabilities, 
> then the audit 
> > is FREE and they send you a letter of validation. If they do find 
> > vulnerabilities, then they charge you and send you a formal 
> report that 
> > details their finds and grades your network.
> >
> >     Given some of the new laws that have been passed this 
> seems like a 
> > pretty good service and a VERY cheap way to validate your companies 
> > security. Secure Network Operations also has a flawless 
> track record and 
> > has the references to prove it.
> >
> > Why do I think this is a good idea? Well, the California 
> identity theft 
> > law (Civil Code 1798.82),The new federal banking 
> regulations are two 
> > reasons. They both  make disclosure of a compromise 
> MANDITORY. You need 
> > to tell ALL of your clients, by law, that you have been 
> compromised and 
> > that their identities may have been stolen.
> >
> > So anyway, I'll shut up.  For those of you that are 
> interested check out 
> > the link below. For those of you that arent, I'm just 
> trying to help 
> > people out so don't flame me or I'll /dev/null your mail.
> >
> > http://www.secnetops.com/pesa-form_html.html
> >
> > Their web site is: http://www.secnetops.com
> > - -- 
> > Regards,
> >          -simon-
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6
> > 0kewAu0Xz4t6+F5Px6kfKc8=
> > =9AWM
> > -----END PGP SIGNATURE-----
> --------------------------------------------------------------
> -------------
> >
> --------------------------------------------------------------
> --------------
> >
>
> To do is to be.  -Socrates
> To be is to do.  -Satre
> Do be do be do.  -Sinatra
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------