Anton Chuvakin says this:
In other words, if your password on a publicly exposed router is "password," please shut the trap up about "risk management!"
Of course these two cases - 1) having a vulnerability (yes, even a big one); and 2) managing risk
- are not mutually exclusive. It is common in security for folks to insert their own opinions and tolerances about risk into a statement that is intended to be some sort of universal truth, but that isn't the point of risk management.
Risk management is the ongoing process of evaluating threats, vulnerabilities, and consequences (within an environment) and making decisions about the timing, placement, and application of one or more controls such that the mix of positive (or at least neutral) and negative outcomes are tolerable.
Ah, come on! I am not an idiot, you know :-)
>are not mutually exclusive
Of course they are not! My comment meant to say that many folks who blabber for hours about "risk management" should spent some of this time to go change that router password :-)
Posted by: Anton Chuvakin | October 17, 2007 at 10:39 AM