https://blogs.rsa.com/bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse/?utm_source=rss&utm_medium=rss&utm_campaign=bad-decisions-made-faster-qualitative-security-risk-assessments-making-things-worse By Derek Brink blogs.rsa.com March 19, 2014 Once there was a leadership team that was exceedingly fond of using risk assessments to make business decisions about information security. The team cared little for detailed discussions about threats, vulnerabilities, technical exploits, or a host of potential security controls. They wanted their subject matter experts on information security to explain clearly how their recommended investments in security controls would actually reduce the company’s risk, and they ultimately wanted to make decisions based on the amount of risk the company was willing to accept. Many security professionals, as well as many security vendors, tried but failed to communicate in this way and fell back into their old bad habits, frustrating everyone. But one day some pretenders came along, who let it be known that that they could conduct qualitative (and even “semi-quantitative”) security risk assessments that could be easily understood by the leadership team. Their security risk assessments were presented using bright colors, and had the property of being understood by virtually everyone. The pretenders were supported by a third-party advisor and highly trusted by the leadership team, who vouched publicly for their approach. Does any of this fractured fairy tale sound familiar? It’s based, of course, on Hans Christian Andersen’s classic story, The Emperor’s New Clothes. You can write the end of the story yourself. In spite of their misgivings, everyone goes along with the charade
By Andrew Auernheimer Opinion Wired.com 11.29.12
Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.
Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.
But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:
The hacker decides to sell it to a third party. The hacker could sell the exploit to unscrupulous information-security vendors running a protection racket, offering their product as the “protection.” Or the hacker could sell the exploit to repressive governments who can use it to spy on activists protesting their authority. (It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.)
The hacker notifies the vendor, who may — or may not — patch. The vendor may patch mission-critical customers (read: those paying more money) before other users. Or, the vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do … nothing.
______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org
I’ve compiled a fairly comprehensive list of security vendors, feel free to suggest more. To view the list of vendors click here.
Please select a sub-menu from the “Security Info” Top Level Menu
I was cruising the Exploit-DB.com site today just to see the latest in the exploits in the wild and noticed right away that there was a new metasploit exploit released on October 1st for Trend Micro’s Internet Security Pro 2010. It always chills me when I see exploits for security vendors. I guess I see them as being special or something. Maybe I shouldn’t put them so much on a pedestal since I guess all programmers can make mistakes. However, the question is… should we expect security vendors to have better security than their customers or other software companies? I wonder if NSS Labs is going to come up with a framework for assessing or certifying security product vendor’s development processes? Hmm… That’d be nice to see.
See the exploit below:
Apparently Nessus has really hit the mainstream with this company (Edgeos) offering “managed” security to other security vendors that wish to provide managed scanning services. Interesting, but again kinda scary to host your vulnerability data off-site like that. Apparently hosting your vulnerability data is really catching on as lots of major companies seem to be doing it. Cloud based scanning services were also just released by Rapid7, a strong new vulnerability vendor that has been doing quite well to compete against Qualys and McAfeeSecure (aka Hackersafe).