Re: SME risk assessment (Was: Bank Assessment)

From: miguel.dilaj@pharma.novartis.com
Date: Mon Apr 26 2004 - 12:24:01 EDT


Hi guys,

I've a small comment. So small that perhaps it won't be approved for the
pen-test list (specially since I removed the discussion from my answer ;-)

It's my impression that you're talking about the risk of someone getting
their hands on the company's information.

What about the risk of someone getting access only to use the resources?
What if the h4x0r doesn't care about the company's assets?
Given control of some of the company's systems everything can be done
using those systems as a base to launch further attacks.
The risk of being blamed for hacking activities, DoS, storing child porn,
etc., have to be considered as well, and absolutely every individual and
company out there is exposed to that if someone can compromise their
systems. The publicity impact can be also very serious.

I can perfectly understand your recent discussion if we don't take into
account the above, and I tend to agree with you (if I understood you
correctly). Both of you are partially right.

Cheers,

--
Miguel
aka Nekromancer
WHAT password cracker? Do you know Lepton's Crack?
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT