Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

A Rallying Cry for Help?

from [admin] Network Security [Permanent Link]
Subject: A Rallying Cry for Help?
Date: 4 Apr 2006 20:30:07 -0000 
Our network engineering staff recently came across some old documents left 
molding in a closet. An interesting note from the, at the time, CIO outlined a 
communication to our executive management. 

This is what was said:
---------------------

With the growing proliferation of viruses, worms and malicious code in the 
wild, it is imperative we take proactive measures to ensure confidentiality, 
integrity and availability of our data. As it has been stated before, we cannot 
assess our true vulnerability until we have assessed our current state. Current 
state of our network reveals our weakest points are most vulnerable to attack. 
The recent outbreak of Sasser and Netsky should have taught us all a grave 
lesson. Something tells me we have yet to fully, ?get it?.

Information Security cannot do it alone. Nor should they be expected. The 
greatest type of security breach reported for 2004 was the Denial of Service 
attack.  DOS attacks account for almost double the amount of money lost last 
year due to a particular genre of attack, targeted DDOS attacks proliferated 
through hidden ?bots? found in Trojan code. Denial of Service can be over used 
as a broad term, however, when access to any type of data is prohibited by 
either an exploited system flaw or introduction of malicious code, it is 
referred to as a denial of service.

This paradigm we operate in today is constantly changing. We should take a more 
macro approach when scrutinizing security within our network. By using a 
complete and trustworthy assessment of our hardware, in-house software and 
software provided by our vendors, we should readily be able to identify gaps in 
security, unauthorized access points and unnecessary redundancy.

It will take a change in the corporate culture itself to rid ourselves of 
unnecessary access such as gateway devices into the network and directed ATM 
access provided by large vendors.  To date, we as a company have enjoyed large 
successes and have reaped the rewards. Unfortunately, we have practiced little 
restraint and have been even less frugal.

In order to remedy the problem, we must attack it head on.  The movie Kill 
Bill?s leading character did not wait for her victims to appear before her. Nor 
did she wait until one or more of them created the opportunity.  Her problem 
was attacked head on. There still is a challenge present and we as a company 
must be strong enough to accept it.

End User training should be at the forefront of every line-level manager in 
this corporation. This should also include good Information Security practices, 
such as secure coding initiatives and robust password management, as well as 
daily job function Security Awareness duties. We can only get better at 
combating unwanted downtime and lost revenue due to poor security if we take a 
top-down approach to teaching and promoting good data security practices. The 
recent Sasser outbreak could have been prevented if users simply deleted 
offending messages. In addition, the 0-day exploit is upon us. Communication 
and remediation efforts must be proactive or at least as close to the release 
of malicious code as possible.  Information Security stewards simply must 
continue work on enhancing their methods of communication to all areas of the 
company. For this is no longer strictly a technological problem. It is a 
survival issue.

---------------------
 
Maybe these executive-types are starting to understand.
 
 -PM, IS Director
 I Flip You Off dot Com
 San Mateo, CA
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • A Rallying Cry for Help?, admin <=
Previous by Date:  RE: Reports for Exec Management, Ruiz, Rolando
Next by Date:  RE: Reports for Exec Management, Crayola
Previous by Thread:  Reports for Exec Management, Crayola
Next by Thread:  Re: infosec awareness, infosecuritymail
Indexes:  [Date] [Thread] [Top] [All Lists]