SS2:
Quote:
You respectfully disagree yet you yawn. Interesting.
Sorry, the "yawn" was directed at political correctness in general, not at you personally. I'm just getting a bit fed up of political correctness.... A spade is still a spade no matter what you call it.
Quote:
IDS and Firewalls can and often do interact with each other.
Undoubtledly, but screw it up and you will DoS yourself.... Been there.... :o
Quote:
Making blanket statements without acknowledging that many small businesses need an Internet setup at the office that has a maximum degree protection that they can afford borders on pontification.
Er.. The risk assessment should dictate the level of protection needed by a company and therefore it's cost. If we are talking about Joe's Bait Supply that has no "secrets" on the network, 4 workstations and no public services then an IDS is not warranted - A simple firewall blocking all external access is all that is really required along with automatic updating of patches immediately they come available and functional AV.
You seem to be treating IDS an an essential item, which it is not. However, if it is warranted then the vast majority of the cost goes towards an admin capable of implementing, managing and interpreting the system. Fail to have that admin and the IDS becomes a nice anchor.
Quote:
Knowing someone intimately? Where they live?
If someone wants to stick their dick in your rear, they will in an instant
That's a given. But our supervisors see our employees daily. They inform me if they have concerns about any given employee and they go on the "Watch List". I can't see your employees managing my IDS. I have no idea whether they are happy or not and I sure as hell can't monitor their activity..... Even though they have all the information they need to compromise my network. Sorry, but that contravenes the most basic rule of any kind of security - limit access and knowledge to _only_ those who require it. If you have secrets worth keeping then, from a security standpoint, you are better off hiring in a specialist than outsourcing and giving them the "keys".
Quote:
If you sign a crappy contract then you deserve what you get. There are honest contractors out there and many are worthy of their fees.
Even sending a technical contract to your lawyer does not guarantee that when they say "sign it" that they fully understood some of the technical implications held within it. Frankly, most people that outsource technical stuff do it on the basis of references rather than full comprehension of the contract they sign - and many simply do it on the word of the salesman. Most wouldn't think to have an independent risk assessment done and then act on the recommendations of that contractor. In fact most wouldn't know or understand a risk assessment if it jumped up and slapped them in the face.
Yes, there are honest contractors out there and it sounds like you are one of them. But let's not confuse honest contractors with security. You are in the business to make money. I'm sure if you scrutinized all the contracts you hold and the implementations you have in place you would admit that there are a good proportion of customers who have been "over-sold" your products.... Because you could....
In the final analysis you either have something worth protecting or you don't. If you do then a risk assessment must be carried out. The result of the risk assessment dictates the level of protection required and therefore the cost. If your secrets are of sufficient value to require the use of an IDS then you are better off, in the long run, employing an administrator that can implement, manage and interpret it for themselves.