Security Round Table - Episode 3 - Liability for Vulnerabilities and Responsible Reporting
I am excited to present to you the SRT’s third episode. The goal of these podcasts is simple: bring together podcasters and occassional guests to discuss important security topics. This episode had some great (read: diverse) representation as we tackled the issue of who should be responsible for vulnerable code and “good practices” around notification, patching and the like.
This podcast went a bit longer than planned, and I suspect we could have kept talking all night long! I personally learned quite a bit and enjoyed the opportunity to explore some of these issues and hear different perspectives. I hope you enjoy it too!
Joining us on this effort was:
Martin McKeay (The Network Security Podcast)
Paul Asadorian (Pauldotcom Security Weekly)
Jamal Khan (Hdaar Security Radio)
Alan Shimmel (Still Secure, After All These Years)
Ron Woerner (Security Catalyst Contributor)
Ideas? Comments? Suggestions? securitycatalyst@gmail.com
Michael (The Security Catalyst)
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
oilpanic said,
July 27, 2006 @ 5:26 am
I have heard this episode today, and frankly I must say that this episode is really targeted against security guys managing 1000+ clients. The masses out there do not really care about updates for their systems unless they come from Microsoft. Really, if you are a midsized company with a proper firewall and maybe an IDS you don’t really need to care that much about holes in your system because most of them are “user related” in the sense that the vulnerabilities, in order to infect your system (Like the MySpace one) needs user interaction. Now while this, hopefully, is not an issue on servers, since we do not use servers for surfing myspace and such, what would REALLY help us out is education.
I know I have said this before, but 9 out of 10 security issues are user related and could be prohibited with proper training. Explain what phishing is, how to be alert, how not to install activex and stuff like that. And then, lock their computers down the best you can.
Now, to round this up, I heard you guys wanted to address the “Two-Factor Authentication” issue that recently came up. I really feel people are goinf to the wrong track on that one. Again, for this to be unsecure you would need something like phishing to take place. I am sorry to say that if your users go to a phising site that look like your coorporate intranet or your bank, but the URL states “Givemeallyourpasswordsandmoney.ru” then you have NOT educated your users well enough. It not the same as saying that TFA is not secure. The same would be to say that encryption is not secure because there was an incident where someone installed a keylogger by mistake and a hacker got their password and key and performed a man in the middle and decrypted mails that way. It does not mean that crypto is not secure.
Just my 0.1$