Risk Versus Risk

by Russ Rogers - 3/14/00

Webster's dictionary defines RISK as: "Possibility of suffering harm or loss: DANGER". If your company network is attached to the Internet, you're at risk. The fortunate part is that you have a say in the amountof risk you are subject to. The other good news is that in most instances, you can decrease your own risk by increasing the risk of the network intruder.

The security goal of every good system administrator is to minimize thechance that unauthorized access to the network will occur. The "chance" can also be called risk. Risk needs to be weighed against the needs of the company's network access. Managers should decide on the best course of action to mitigate those risks, while at the same time providing all the necessary network access that each business process requires.

This isn't an easy job. Although managers typically understand the way each business process is supposed to work, they don't normally have the technical knowledge of "how" each process actually occurs, from start to finish. Security policies should include input from the appropriate technical sources within the company.

You can also reduce your own risk by raising the risk to each intruder. Burglars will not normally hit a home that has an alarm system installed. Car thieves will not normally attempt to steal cars that have alarms or tracking devices installed. That's because there is too much risk of being caught. Configure your networks in same manner to reduce your risk.

Network intrustion devices increase the risk to an intruder by allowing you to passively monitor network traffic and report on incidents that look suspicious. It works in much the same way that a burglar alarmworks. Marcus Ranum, from Network Flight Recorder gave an excellent presentation on the implementation of alarms within an OS at the 1999 Black Hat Security Conference. I believe his slides are online for you to peruse.

The idea is to increase the risk of capture for each intruder on your network. Defend yourself with quality security tools. But you also need to be aware that there are crackers out there that don't care if they get caught. The media has made such a big deal out of each web page defacement and DOS attack that script kiddies become stars.

End Goal: Reduce your own risk by increasing their risk.