Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vendor connection

from [Fred Cohen] Network Security [Permanent Link]
Subject: Re: Vendor connection
Date: Thu, 9 Feb 2006 18:59:16 -0800 

On Feb 7, 2006, at 7:43 PM, Casey DeBerry wrote:

Has anyone been burned by trusting a "trusted" connection? 

It's commonplace and we have been telling people to stop it for years.


I am looking to move connections to partners behind a firewall. These are not your typical PVC or VPN connections, but servers that are connected with modems. When we need services, we connect over the modem, do our thing, and disco. Some of these connections may only be live for 30 seconds or less. From what I iunderstand, these connections are either Worldnet services, to direct connections to our partner networks.I am having difficulty convincing others that this implementation is dangerous. The other problem is that these vendors say they are running the same connection with other's who dont have any issue with how this all lays out.

The short exposure time is a major advantage. A more detailed analysis of the risks associated with the connection is called for in order to make a reasonable and prudent decision about it. Typically these connections will also have limited syntax elements and use a pre-defined format that can be carefully implemented to assure that most of the risks are mitigated. The cost of making a limited function interface is pretty small for most situations and it increases the surety substantially, but it really depends on the specifics.

Besides looking at my contracts, COBIT, FFIEC etc.. what other resouces do I have to validate what needs to be done here?

These don't answer such questions. They have to be addressed on a case by case basis.

FC 
Casey DeBerry
CoBiz Inc
Information Security
Office 303-312-3405
Mobile 303-669-8547
cdeberry@cobizinc.com


CONFIDENTIALITY NOTICE: This e-mail contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. E-mail cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Neither the sender nor CoBiz Inc. and its subsidiaries accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Process Improvement for Security, Fred Cohen
Next by Date:  RE: Process Improvement for Security, Brad Bemis
Previous by Thread:  Vendor connection, Casey DeBerry
Next by Thread:  Antivirus Audit Methodology, Walczak Pawel
Indexes:  [Date] [Thread] [Top] [All Lists]