tag:blogger.com,1999:blog-4088979.post8775153721250170595..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: How Many Burning HomesRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-75254292555888662242008-07-14T04:11:00.000-04:002008-07-14T04:11:00.000-04:00Good Job! :)Good Job! :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82822296757173905152008-03-24T10:53:00.000-04:002008-03-24T10:53:00.000-04:00Michael, let me make a little more subtle point: i...Michael, let me make a little more subtle point: if your risk tolerance is tighter than your company's, you will be frustrated and not happy. If that delta is too big, you should probably consider another job.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7812001012343497062008-03-24T10:50:00.000-04:002008-03-24T10:50:00.000-04:00I agree with Anton. A company that is "waiting" w...I agree with Anton. A company that is "waiting" will keep "waiting" until its hand is forced. But then, in that case, it is true what Richard said: one should find a new place to work. If your company does not care for properly protecting its assets, then you should not be satisfied working there.Michael H Busellihttps://www.blogger.com/profile/09522951227348840484noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29721228757108096612008-03-22T20:26:00.000-04:002008-03-22T20:26:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67819305470833231292008-03-17T19:33:00.000-04:002008-03-17T19:33:00.000-04:00Correct, but the keyword seems to be "waiting..." ...Correct, but the keyword seems to be "waiting..." to happen. Will it be waiting? Or will it actually happen?Anton Chuvakinhttps://www.blogger.com/profile/12740087457147758558noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-12278251875269220402008-03-17T15:51:00.000-04:002008-03-17T15:51:00.000-04:00Hi Anton,I think this approach works very well. F...Hi Anton,<BR/><BR/>I think this approach works very well. For a site like the one you describe, where essentially no one cares their systems are owned, the answers are yes, any amount; yes, any duration; yes, any time; yes, any time; yes, any system. In such a situation I would probably look to get another job because we have specifically defined that no one cares about integrity in such an organization. That's a lawsuit waiting to happen, especially if any regulations apply.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30632739031145852722008-03-17T15:30:00.000-04:002008-03-17T15:30:00.000-04:00Disagree - not a good approach in many env since:#...Disagree - not a good approach in many env since:<BR/><BR/># Is it acceptable to have 25% of a business' computers compromised? 50% 10%? 5%?<BR/><BR/># Is it ok for them to be owned for 6 months? 1 day? 2 years?<BR/><BR/>Many would say 'yes - as long as we can use them too' (or 'no, but we won't spend on this so - yes')<BR/><BR/># Is it ok for us to take 6 months to notice? 2 hours? 2 days?<BR/><BR/>Many would say 'yes - as long as we can use them too' (or 'no, but we won't spend on this so - yes')<BR/><BR/><BR/># Is it ok for us to take 1 week to recover? 1 day? 1 month?<BR/><BR/><BR/>Many would say 'yes - as long as we can use them too' (or 'no, but we won't spend on this so - yes')<BR/><BR/><BR/># Is it ok for us to be suffering compromise on development servers? Call center PCs? Human resources databases?<BR/><BR/>Few would say yes, but then - it is 'yes as long as nobody knows AND we can use the systems'....<BR/><BR/><BR/>Please, please debate me :-)Anton Chuvakinhttps://www.blogger.com/profile/12740087457147758558noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-64668726783921303022008-03-15T13:47:00.000-04:002008-03-15T13:47:00.000-04:00Richard,Great approach to determining the risk tol...Richard,<BR/><BR/>Great approach to determining the risk tolerance of the organization.<BR/><BR/>At the risk of carrying it too far, I would encourage you to think about changing your analogy, though. Houses wouldn't directly correspond to what Exec. Mgmt. cares about -the value tied to a specific process. So instead of using "houses" I'd use public facilities (Is it OK to let schools burn down, and not hospitals? What about Police Stations?) and corporations (can the city operate without grocery stores? What about gas stations?). Houses might be more like desktops, maybe.<BR/><BR/>By tying the asset to the business process it supports instead of platform or IP address, business owners can generally correlate the worth of groups of (or individual) assets to their tolerance for risk.Anonymousnoreply@blogger.com