A security administrator was recently hired in a start-up company to represent the interest
of security and to assist the network team in improving security in the company. The
programmers are not on good terms with the security team and do not want to be
distracted with security issues while they are working on a major project. Which of the
following is the BEST time to make them address security issues in the project?
A well-known retailer has experienced a massive credit card breach. The retailer had
gone through an audit and had been presented with a potential problem on their network.
Vendors were authenticating directly to the retailer’s AD servers, and an improper
firewall rule allowed pivoting from the AD server to the DMZ where credit card servers
were kept. The firewall rule was needed for an internal application that was developed,
which presents risk. The retailer determined that because the vendors were required to
have site to site VPN’s no other security action was taken. To prove to the retailer the
monetary value of this risk, which of the following type of calculations is needed?