Re: SME risk assessment (Was: Bank Assessment)

From: Jason High (strongcypher@hotmail.com)
Date: Mon Apr 26 2004 - 09:03:59 EDT

• Next message: Brass, Phil (ISS Atlanta): "RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"
• Previous message: Leewarner, Joshua (US - Seattle): "RE: Tools to test web services"
• Maybe in reply to: fergus: "Re: SME risk assessment (Was: Bank Assessment)"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I work for a small business and couldn't disagree more. You're assuming
that small business = small profit = small amount of risk. This is not true
in many cases. The company that I work for is a multi-million dollar
company that stores a great deal of very sensitive information, and
therefore our risk is relatively high.

You also assume that because a company is small you only need to be equipped
with a strong understanding of that businesses processes to perform a risk
assessment. Again, I have to respectfully disagree. The size of a company
does not necessarily dictate the complexity of a risk assessment. My
company, again, is a prime example. We have many distinct divisions that
perform a vast array of functions. Applying a methodology is extremely
valuable in such situations to insure uniformity and to provide guidance to
the party(ies) doing the risk assessment.

While I agree that a strong understanding of the company's business
processes is extremely valuable, if not absolutely vital, I disagree that it
is the only issue or that applying a methodology has no value to small
businesses.

--
Jason E. High,RHCT,GSEC,MCP
>From: fergus <fergus@cobbled.net>
>To: pen-test@securityfocus.com
>Subject: Re: SME risk assessment (Was: Bank Assessment)
>Date: Fri, 23 Apr 2004 23:02:31 +0100
>
>On 23.04-09:57, Amit Deshmukh wrote:
>[ ... ]
> >                          ... would anyone know of
> > a simple risk assessment methodology that could be
> > employed for small to medium businesses?
>
>the problem is not the methodology it is the
>understanding.  you need to understand the threat
>and risk on a number of levels to make an
>effective assessment.
>
>that is what you pay for at the end of the day;
>experience and knowledge.
>
>for a simple example, it would be difficult to implement
>a password policy if you do not understand the
>relevant issues; that comes down to users,
>distribution, environment, etc, etc.  all these
>things are logical and if you have the necessary
>understanding then you do not need methodology -
>not for small businesses.
>
>it's basically an issue of common sense (once you
>can ably cover the issues).
>
>if you mean a vulnerability assessment or pen-test
>then you are better (for the small business
>sector) to simply use tools.  nessus basically; it
>will be adequate for the target.
>
>the problem is that small companies have low value
>assets and most have very little relating to
>information/computers.  even the ones that should
>know better (i.e. accountants and solicitors) are
>ill able to afford and digest a detailed report.
>they simply need a solution that puts them a
>couple of levels higher than the next guy.
>
>to summarise - perceived risk is low and therefore
>over investment in detailing actual risk is
>difficult, costly and unpopular.
>
>--
>: fergus cameron                :   [ .]        cobbled    :
>: ^^^^^^@cobbled.net            : [ ~][ ]             .net :
>
>------------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the 
>skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>-------------------------------------------------------------------------------
>
_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Brass, Phil (ISS Atlanta): "RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"
• Previous message: Leewarner, Joshua (US - Seattle): "RE: Tools to test web services"
• Maybe in reply to: fergus: "Re: SME risk assessment (Was: Bank Assessment)"
• Next in thread: miguel.dilaj@pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT