>> If attack A is 1,000 times more likely >> to work than attack B, you don't think it's more important to guard >> against attack A? > > It's not either/or here. You could be the guy who gets hit by lightning. I'm not sure I entirely agree with you there Les. I'm not going to delve into the intricacies of Cost / Benefit analysis (it made my head spin in my accounting school days) but basically, protecting against threats is in part a case of weighing the costs of setting up the protection vs the benefits of being 'immune' to such an attack adding in a dash of probability and stirring the whole mess in a black cauldron. What comes out is what the Bean counters consider an acceptable cost for that protection. Case in point, I have several web servers sitting in a rack in our server room. I'm more likely to suffer an attack on my key infrastructure through a compromised web server then I am through someone breaking down the door and entering the room. If I asked for a security system that included bio-metric access control systems, I'd be laughed at and denied. OTOH, I have a firewall with a DMZ that is both physically and logically isolated from the internal network and has IDS/IPS running on all traffic passing through. At the end of the day, there are finite resources anyone can spend protecting their organization and sometimes, hard choices have to be made. We have threats X, Y, and Z but only enough to protect against 2 of them. Which ones would you chose to protect? -- Drew