On Tue, 06 Dec 2005 07:55:55 PST, Daniel Sichel said: > Anyhow, Jason summed this up elegantly and succinctly. Is anybody > addressing this problem with cheap software a small business can afford, > even to test just the basics? Plenty of people. Lots of people. Probably 80% or more of the people making an actual living at the white hat side of security, in fact. But if I were to actually *mention* anything that sounded like "unclued people who just know how to do a basic pen test and can't 1337-hax0r a box by hand", I'd start another flame-fest. ;) No, those people won't save you from getting pwned by a uber-leet ninja hacker, because they'll only test all the obvious simple stuff. On the other hand, it's even more embarrassing to get pwned by a script kiddie using a 3 year old exploit because you didn't even check the obvious simple stuff. And there's a lot more script kiddies out there than uber-leet ninja hackers, and the uber-leet ninja hackers are probably busy elsewhere. Yes, it's a business decision: You can spend $500 doing enough security to stop 98% of the potential attackers, or spend gazillions to stop them *all*. At some point, you have to decide "We've probably made it hard enough to attack that the script kiddies can't get in, and the ninjas will hopefully go elsewhere with a better effort/payback ratio". And then be prepared to be wrong, just like you hopefully prepared to be wrong regarding your defenses against earthquakes, floods, and other unlikely to happen things... I haven't looked at the CISSP, but I bet this concept of business trade-offs is one of the things a CISSP is supposed to understand. It certainly isn't something I've seen much signs of understanding from the crowd that's proud they don't have a CISSP. And if nothing else, even if your security needs say you should bring in a talented guy to really pound the net into submission, you should *STILL* hire the clueless idiot, first - if for no other reason than it's better to be paying the idiot $50/hour to find all the stupid-ass mistakes you made, than paying the expert $250/hour to find all the stupid-ass mistakes, and then another $250/ hour to do the more in-depth checking. ;)
Attachment:
pgpLSJ41QK0D5.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/