Forum

Replies

• 

  Don Turnblade November 3, 2014 16:13

  For fun, I include the following likelihood analysis:

  There are 3 billion Java installation on the Internet.  If 1/1000 persons are potential felons, then there are 3 million potential felons with Java on the Internet.  If their are 7.1 billion people in this world, then the odds than any customer, employee or internet visitor is a potential felon with Java on the Internet is 0.04%.

  Let us look at the felony IT implications of 0.04% by computing the odds that no staff will have felony intent at this time:

  Staff Count:       Cherry Picking Odds of no felony Risk:

  100                   95.8%

  300                   88.1%

  1000                 65.5%

  3000                 28.2%

  10,000              1.5%                

  Consider now the number of customers per staff member a firm needs to process to make money.  Is this 20 to 1, 2000 to 1?

  Consider now the number of Internet systems that staff contact by Web Access during their lunch break per day?

  Consider now the number of persons in the corporate parking lot that are either staff, customers, visitors, associates of the firm next-door, maintenance support, UPS, FedEx, Sparklets Water, Break Room Vending Machine support or Staples Office Supply delivery staff.

  Ever notice how many Staples staff actually know their IT stuff?  Ever notice how effective the UPS guy is at entering your building without a key, badge or access rights?  99.9% of them could be wonderful human beings.
• 

  Don Turnblade November 3, 2014 15:36

  The comment is a drop dead People and Process red light:  DANGER WILL ROBINSON.

  "any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." - See more at: http://globalriskcommunity.com/forum/topics/wireless-security-query...

  1) Any network access beyond a network segment authorized for unrestricted guest access is dangerous simply because it violates fundamental access controls.

  2) Any risk reduction based on need for user ID and password after network access must show that all such systems are flawless and without vulnerability to attack that would circumvent user ID and password Logical Access controls.

  The very idea that a team imagines that Logical Access control is a compensating control for violated Network Access Control, when there is not even working Network Access Control, would make it fair to ask, is there even working Logical Access control?  Do you have proof of this too?  

  The Highly Unlikely and therefore there is no risk must have proof.  Example, it is Highly Unlikely that Target stores would allow hostile software to install on its Credit Card readers.  But, that breach was 110 million identities and 61 million credit cards.  (No, the bad guys did not have a valid User ID or Password.)

  More to the point, It was highly unlikely that TJMax would allow rogue wireless to be installed to enable thieves to defraud their credit card network with wireless access to the parking lot.  (Initially, the bad guys did not have a valid User ID or Password.  But, as TJMax staff began to wrongly see them as authorized IT staff, they were wrongly given valid User ID and Passwords.)

  Recommendations:

  A) Have an Attack and Pen Test done on the scope of networks that can be reached by the guest Wireless.  If the test shows that no system reachable from that context can be exploited from a Black Box Testing Position without any valid User ID or Passwords, then the risk reduction is valid.  If systems can be exploited.  Have the fact based meeting about genuine Risk Management rather than under baked thought experiments.