HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 44 guests online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow News from the Outside Worldarrow 8 Dirty Secrets of The Security Industry
Ethical Hacker Community Forums
December 01, 2008, 10:57:59 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: 8 Dirty Secrets of The Security Industry  (Read 1957 times)
0 Members and 1 Guest are viewing this topic.
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 205

Klaatu, Borada,Necktie?


View Profile
« on: May 08, 2008, 02:12:50 PM »
Amrit Williams' blog sums up Joshua Corman's presentation at Interop, creating one of the most entertaining reads I've found in some time...

Remember kids, do not taunt happy fun ball

Quote from: Amrit and/or Joshua
#0 - Vendors do not need to be ahed of the threat they only need to be ahead of the buyer

#1 - AV certifications do not test/require trojans

#2 - There is no perimeter

#3 - Risk management threatens vendors

#4 - There is more to risk than weak software

#5 - Compliance threatens security

#6 - Vendor blind spots allowed storm

#7 - Security has grown well past “Do it yourself”
Logged
MCP, Security+, Associate (ISC)2
Fathercat
Newbie
*
Offline Offline

Posts: 15


View Profile
« Reply #1 on: May 08, 2008, 03:19:02 PM »
#5 seems so backwards from what we enforce.  Compliance for security.
Logged
CISSP
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 205

Klaatu, Borada,Necktie?


View Profile
« Reply #2 on: May 08, 2008, 03:23:03 PM »
Quote from: the blog
#5 Compliance threatens security

When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program.
Logged
MCP, Security+, Associate (ISC)2
CadillacGolfer
Newbie
*
Offline Offline

Posts: 25


View Profile
« Reply #3 on: May 09, 2008, 11:33:11 AM »
I think as far as compliance, whether it be SOX, PCI, or whatever it all depends on your/your comapny's approach to it.  If all you want it to be is an excercise in checking off boxes, then that is all you will get out of it.  Failings of FISMA seem to ring a bell.

If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.   I'm not saying its easy to do, but it can be done.
Logged
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 205

Klaatu, Borada,Necktie?


View Profile
« Reply #4 on: May 09, 2008, 12:00:20 PM »
Quote from: CadillacGolfer
...it all depends on your/your comapny's approach to it...If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.

You're absolutely correct, and ideally that would be the case.  However, with security still being seen as a cost by so many companies (though it's getting better) that may be easier said than done.  In so many companies, what the CEO and BOD really care about is being compliant with regs while spending the least money possible to do so.

I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.
Logged
MCP, Security+, Associate (ISC)2
RoleReversal
Sr. Member
****
Offline Offline

Posts: 469


View Profile WWW
« Reply #5 on: May 10, 2008, 10:43:32 AM »
Quote from: oneeyedcarmen on May 09, 2008, 12:00:20 PM
I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.

wow.... thats a lot of business Wink

couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.
Logged
A little bit of sanity:
http://www.infosanity.co.uk
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.039 seconds with 23 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.