You misunderstood me if you though I was saying the key to this problem is to throw money at it. You can spend a load of cash and accomplish nothing. In fact, you can do far worse damage this way by giving you a false sense of security than if you did nothing at all. There is a right way to view security and a wrong way. If you let a couple fast talking sales people sell you their "kitchen sink" solution without the full understanding on your part as to what you've just purchased, or the understanding on how to install and maintain the product, then you don't belong in your company's security group and should look for a new line of work. I think we can all think of security installations or practices we've seen in the past that we can find fault in, or ones that are so bad they need to fire the security staff and reevaluate the entire infrastructure. The point I was making in my original email was that you need to understand your network. This includes the users and how they interact. You can spend $0 in the way of new hardware and instead work to change the bad habits of users on the network and be in a much more secure position months from now. By understanding your network and the security risks associated in each element, as well as the options available to closing (or mitigating) those security risks, you will find yourself in a better position to spend allocated funds more wisely. You'll never be able to make a network hacker proof, but you can work to mitigate risk to varying degree. Here is where the money comes in. How wisely you spend is up to you. Mike Braun -----Original Message----- From: Rob Thomas [mailto:robt@cymru.com] Sent: Thursday, November 13, 2003 12:56 PM To: NANOG Subject: Re: FW: Cost of Worm Attack Protection Hi, NANOGers. ] The old saying of "you get what you pay for" seems to be well directed when ] it comes to this topic. If you're willing to allocate $100K more than you ] currently spend to mitigating the effects from Worms and Viruses, I'm sure ] you will have some increased success. If you allocate 1 mill more, your ] success will increase substantially. The true cost really boils down to This sort of thinking, unsupported by any data, runs rampant in the security industry. I have yet to see anyone document the ROI on security tools and services. Do they help at all? Does an increase in security spending result in a decrease in pain? In some cases, as already documented here, an increase in security measures can actually increases costs. Let's not fall into the trap that more $$$ equates to greater security or awareness. I've seen many sites that installed numerous pods of the latest IDS at their borders, only to be owned from within or owned by a method not yet in the ever-behind signature database of the IDS devices. One can waste money on security just as easily as one can waste money on anything else. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty); "MMS <firstam.com>" made the following annotations on 11/13/2003 01:54:54 PM ------------------------------------------------------------------------------ "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ==============================================================================