I see your point and agree. To address marco's question/concern (to know how much is Too much!), I guess he can start by:

1. Doing and assessment of what data or services are to be protected.
2. Assessing all the risks.
3. Reviewing existing regulations and/or data protection policies that will need to be kept in mind when putting together the security solution.
4. What are the possible liabilities and any costs associated with them
5. Identifying possible technology solutions to be used and also the estimated TCO for such solutions.
6. Put together some estimated costs associated with the possible security protection and making a recommendation.

Depending on existing requirements, it may be necessary to then request an increase in budget (hopefully not). Ideally, if a particular technology solution will address all requirements, stay below budget and you can appease all stakeholder concerns, then you have found a winner.

:)

-----Original Message-----
From: Rob [mailto:synja (at) synfulvisions (dot) com [email concealed]]
Sent: Tuesday, June 19, 2012 1:48 PM
To: Miguel Gracia; listbounce (at) securityfocus (dot) com [email concealed]; marco cohen; security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: protecting web apps for governaments

Miguel,

That's why I specified the value of the asset.

This includes not only the "actual" monetaru value, but also incidental values associated with a compromise. Legal expenses, settlements, bad press, and everything else that goes along with it. There's also a difficult to quantify value of public trust and appreciation; the semi-recent BP oil spill in the Gulf of Mexico didn't just cost the company cleanup expenses and litigation, it cost them new regulatory expenses, lost profits from people suddenly not wanting to purchase from them, and a horribly tarnished public image.

The same, and more risks apply to government systems. When senate.gov was minorly attacked, the public perception was that the senate had been compromised and all sorts of secret and critical information was compromised; the reality was that there was absolutely nothing of value compromised.

On a brighter note, this sort of thing can often be used to massively increase IT budgets in government agencies, assuming you still have a job.

Rob

Sent on the Sprint(r) Now Network from my BlackBerry(r)

-----Original Message-----
From: Miguel Gracia <mgracia (at) grayhairsoftware (dot) com [email concealed]>
Date: Tue, 19 Jun 2012 17:28:01
To: synja (at) synfulvisions (dot) com [email concealed]<synja (at) synfulvisions (dot) com [email concealed]>; listbounce (at) securityfocus (dot) com [email concealed]<listbounce (at) securityfocus (dot) com [email concealed]>; marco cohen<marcocohen2 (at) gmail (dot) com [email concealed]>; security-basics (at) securityfocus (dot) com [email concealed]<security-basics (at) securityfocus (dot) com [email concealed]>
Subject: RE: protecting web apps for governaments

I see your point and agree to it to some degree because It all depends on the type of data being protected. However, when protecting personal data (DOB, personal id numbers, name address, patient history etc) technology costs should be the last item to worry about.

-mg

-----Original Message-----
From: Rob [mailto:synja (at) synfulvisions (dot) com [email concealed]]
Sent: Tuesday, June 19, 2012 1:23 PM
To: Miguel Gracia; listbounce (at) securityfocus (dot) com [email concealed]; marco cohen; security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: protecting web apps for governaments

I disagree.

When the cost of the security is significantly higher than the value of the asset being protected, it's a bad thing; especially for a government agency using public funds.

That being said, you do have to consider the PR value of the system; defacing the website of a computer security firm is more damaging than doing the same to the website of a grocery store.

Rob

Sent on the Sprint(r) Now Network from my BlackBerry(r)

-----Original Message-----
From: Miguel Gracia <mgracia (at) grayhairsoftware (dot) com [email concealed]>
Sender: listbounce (at) securityfocus (dot) com [email concealed]
Date: Tue, 19 Jun 2012 16:58:24
To: marco cohen<marcocohen2 (at) gmail (dot) com [email concealed]>; security-basics (at) securityfocus (dot) com [email concealed]<security-basics (at) securityfocus (dot) com [email concealed]>
Subject: RE: protecting web apps for governaments

There is no such thing as too much protection. If the company feels comfortable with this and thus requests nothing less, then it is worth having. From a technical standpoint, it may be overkill but it may be a requirement depending on audits done on the company and/or web apps.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of marco cohen
Sent: Tuesday, June 19, 2012 11:23 AM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: protecting web apps for governaments

HI all

Im doing a consulting for one of the governaments in europe.

the idea is to create a most secure segment in which we will locate all the web apps of the gov and to protect them from any attack. we will buy equipment like SIEM, HIDS IPS, Firewalls and WAF and prevention of DDOS attacks.
but additionaly to this I am working on policies to implement heardening of operation system of those servers.
I am considering also politices of code review (in this process algo input validation), and twice a year pentest to all the 200 web sites.
I am wondering if also doing code review for every change in the those web apps + pentest 2 time a year + WAF.

ISNT THAT TO MUCH FOR PROTECTING THE WEB SERVERS??

thanks a lot!

marco

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]