Thursday, May 21, 2009

2009 Information Warfare Summit

I gave a presentation at OKC ISSA's 2009 Information Warfare Summit, yesterday, covering:

- common info sec weaknesses,
- new data from Verizon's 2009 Data Breach Incident Report,
- my reactions to the data / expectations / etc
- high level recommendations

If interested, it is located here.

1 comment:

Allen Baranov, CISSP said...

Brilliant summation.

I do have a few comments though:

I'm still trying to digest slide 16-
Other reasearch that I have seen suggests that the stats for patch to exploit are less optimistic than VB's.

Slide 34 -

What do you do when you disagree with VB? I think that their scope is too small to make any marginal calls. Only really mindblowing statistics will work. I agree with you about social engineering but only for trojans and phishing. I think this is under-represented in the VB report. I also think that using PCs to hijack a workstation would be a lot easier than going directly after servers. I'm amazed that default accounts are still such a problem but not not shocked. Ditto for SQL injection.

I like slide 39 -
"In an unsegmented environment, there is no such thing as a 'low risk' system."