I gave a presentation at OKC ISSA's 2009 Information Warfare Summit, yesterday, covering:
- common info sec weaknesses,
- new data from Verizon's 2009 Data Breach Incident Report,
- my reactions to the data / expectations / etc
- high level recommendations
If interested, it is located here.
Thursday, May 21, 2009
Subscribe to:
Post Comments (Atom)
1 comment:
Brilliant summation.
I do have a few comments though:
I'm still trying to digest slide 16-
Other reasearch that I have seen suggests that the stats for patch to exploit are less optimistic than VB's.
Slide 34 -
What do you do when you disagree with VB? I think that their scope is too small to make any marginal calls. Only really mindblowing statistics will work. I agree with you about social engineering but only for trojans and phishing. I think this is under-represented in the VB report. I also think that using PCs to hijack a workstation would be a lot easier than going directly after servers. I'm amazed that default accounts are still such a problem but not not shocked. Ditto for SQL injection.
I like slide 39 -
"In an unsegmented environment, there is no such thing as a 'low risk' system."
Post a Comment