Point taken.

Just because you have reduced the risk from 1/1,000 to 1/1,000,000 doesn't mean that the impact from the 1/1,000,000 isn't more significant. Let's look at this. 1/1,000 - Piss off someone in an IRC forum, they fire up their botnet. You could lose some Availability, remember CIA, Confidentiality, Integrity, Availability, but call your upstream provider or do ingress filtering, problem solved. 1/1,000,000 you run a firewall without regular vulnerability assessment, someone infiltrates or compromizes a trusted or non-trusted host, your entire security posture is lost, CI and A.

Like Chris said, you can't discount it just becuase it isn't a point-click attack. I've seen the logs and performed after-action incident response on several situations where the skiddie route failed, then someone put some thought into it and compromised a system or systems.

I agree with you that i left out alot of other attack vectors, but the point was not to identify all possible attack points. The point was that a huge chunk of 'security' these days seems to be focused around viral and denial attack mitigation. In saying that lets say for instance -- Given an environment where there are sufficient security controls such as proper firewall implementations, NAT and DMZ's at work and viral patterns and dos attacks are accounted for what else is on the radar as far as possible attacks ?

How many attackers out there have the technical know how to compromise a system without the aid of known security exploits -- in my [very humble] opinion not very many. So im saying that once you take care of those risks the threats against your system seem to fall dramatically.

(Yes we've already talked about internal threats but im talking about threats from outside the network )

Nope. That isn't what I am saying at all. I am saying that there a a TON of other threats which you seem to discount as unimportant or non-existant.


This statement is silly.

Chris:: Are you saying that you dont view Viruses as a major threat to the continuance of business systems ? So an e-commerce company who's hit with either a virus or a dos attack shouldnt consider that a major attack ? Criticality of attacks are relative to the nature of business.

You are joking right? You cannot really believe that these are the major threats. If so, you obviously don't work in either the INFOSEC field, or in the IT field at a place that gives two shits about security.

Good point about SE, and Local security. I guess i should have been more clear on my question. I agree that internal security will continue to be an issue, but external threats drop dramatically once you handle viruses and kiddies experimenting with DoS tools. The attack-scape seems to be all about viruses and denial attacks. So once vendor sufficiently handle those threats for us will we become process trainers ?

Social Engineering, Local Security, thats how most businesses get compromised anyways.