I Agree with you Larry. However, I´m not sure if accept the initial risk
wiht no actions to try to mitigate it will be accepted, because one
organization can do it for all the assets/risks identified and then not
to select and to implement controls at all... I ACCEPT THE RISK...and I
don´t do anything this is my ISMS.???
One thing that must be clear in the SOA is which assets (Windows NT) are
related to which Threats and Vulnerabilities (not only technical ) and
then, the risk derived from this relation and how to control it (controls
selected and implemented)
In this case, it´s important to know the risk for the organization derived
from using W-NT, the services and applications that are running on these
servers, how the whole inormation and the organization´s processes are
related and affected in case the servers will be compromised, and
finally, the organization has to "say" the reason "WHY" it doesn´t do
anything to mitigate the risk. Costs?, No risk?, no Budget?, Future plans
to migrate to another solutions-when? etc.
In some cases when there is no way to implement controls inmediatly, It
could be ussefull to show an action plan in order to correct the problem
and mitigate the risk in the near future. And it´ll be revised in the
next audit.
Remenber, the Direction (General Manager and Security Comitee) has to know
the risks and aprove the options selected.
Rgds,
Cesar H. Tarazona T.
Security Consultant
Etek International - Colombia
ISO 9001 certified
Tel: +57-( 1)-257-1520
Fax: +57-(1)-257-6960
http://www.etek.com.co
Este correo y cualquier archivo anexo son confidenciales y para uso
exclusivo de la persona o entidad de destino. Esta comunicación puede
contener información protegida por el privilegio de cliente-abogado. Si
usted ha recibido este correo por error, equivocación u omisión queda
estrictamente prohibido la utilización, copia, reimpresión, reenvió o
cualquier acción tomada sobre este correo y puede ser penalizada
legalmente. En tal caso, favor notificar en forma inmediata al remitente.
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. Any
unauthorized review, use, disclosure, dissemination, forwarding, printing
or copying of this email or any action taken in reliance on this e-mail is
strictly prohibited and may be unlawful.
ljknews <ljknews (at) mac (dot) com [email concealed]>
Sent by: listbounce (at) securityfocus (dot) com [email concealed]
11/10/2006 08:21 a.m.
To
bs7799 (at) securityfocus (dot) com [email concealed]
cc
Subject
Re: Windows NT - Risks
At 6:45 PM +0530 10/11/06, iso 27000 wrote:
> One of my customers has a lot of Windows NT servers. MS has already
> withdrawn support for the same. So no more security patches in
> future.
>
> Customer has no plans for immediate upgrade to Win2k or Wwin2k3 . Is
> this an acceptable risk to live with?
Risk is a local judgement. But remember that many of those Microsoft
patches are regarding network vulnerabilities. So long as the machines
in question have no way of connecting to the Internet, some degree of
safety from automated attacks is provided.
That leaves the risk of insider attacks. Even if there is no ability
to connect to the Internet, the phrase "lot of Windows NT servers"
implies there are a lot of insiders, increasing the opportunity for
insider attack.
> Will the auditors have any objection.
That depends on who the auditors are and the nature of the data/business.
> If so , how can it be best addressed?
That depends on what the objections are.
--
Larry Kilgallen
wiht no actions to try to mitigate it will be accepted, because one
organization can do it for all the assets/risks identified and then not
to select and to implement controls at all... I ACCEPT THE RISK...and I
don´t do anything this is my ISMS.???
One thing that must be clear in the SOA is which assets (Windows NT) are
related to which Threats and Vulnerabilities (not only technical ) and
then, the risk derived from this relation and how to control it (controls
selected and implemented)
In this case, it´s important to know the risk for the organization derived
from using W-NT, the services and applications that are running on these
servers, how the whole inormation and the organization´s processes are
related and affected in case the servers will be compromised, and
finally, the organization has to "say" the reason "WHY" it doesn´t do
anything to mitigate the risk. Costs?, No risk?, no Budget?, Future plans
to migrate to another solutions-when? etc.
In some cases when there is no way to implement controls inmediatly, It
could be ussefull to show an action plan in order to correct the problem
and mitigate the risk in the near future. And it´ll be revised in the
next audit.
Remenber, the Direction (General Manager and Security Comitee) has to know
the risks and aprove the options selected.
Rgds,
Cesar H. Tarazona T.
Security Consultant
Etek International - Colombia
ISO 9001 certified
Tel: +57-( 1)-257-1520
Fax: +57-(1)-257-6960
http://www.etek.com.co
Este correo y cualquier archivo anexo son confidenciales y para uso
exclusivo de la persona o entidad de destino. Esta comunicación puede
contener información protegida por el privilegio de cliente-abogado. Si
usted ha recibido este correo por error, equivocación u omisión queda
estrictamente prohibido la utilización, copia, reimpresión, reenvió o
cualquier acción tomada sobre este correo y puede ser penalizada
legalmente. En tal caso, favor notificar en forma inmediata al remitente.
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. Any
unauthorized review, use, disclosure, dissemination, forwarding, printing
or copying of this email or any action taken in reliance on this e-mail is
strictly prohibited and may be unlawful.
ljknews <ljknews (at) mac (dot) com [email concealed]>
Sent by: listbounce (at) securityfocus (dot) com [email concealed]
11/10/2006 08:21 a.m.
To
bs7799 (at) securityfocus (dot) com [email concealed]
cc
Subject
Re: Windows NT - Risks
At 6:45 PM +0530 10/11/06, iso 27000 wrote:
> One of my customers has a lot of Windows NT servers. MS has already
> withdrawn support for the same. So no more security patches in
> future.
>
> Customer has no plans for immediate upgrade to Win2k or Wwin2k3 . Is
> this an acceptable risk to live with?
Risk is a local judgement. But remember that many of those Microsoft
patches are regarding network vulnerabilities. So long as the machines
in question have no way of connecting to the Internet, some degree of
safety from automated attacks is provided.
That leaves the risk of insider attacks. Even if there is no ability
to connect to the Internet, the phrase "lot of Windows NT servers"
implies there are a lot of insiders, increasing the opportunity for
insider attack.
> Will the auditors have any objection.
That depends on who the auditors are and the nature of the data/business.
> If so , how can it be best addressed?
That depends on what the objections are.
--
Larry Kilgallen
[ reply ]