July 21

Security Round Table – Episode 3 – Liability for Vulnerabilities and Responsible Reporting

I am excited to present to you the SRT’s third episode. The goal of these podcasts is simple: bring together podcasters and occassional guests to discuss important security topics. This episode had some great (read: diverse) representation as we tackled the issue of who should be responsible for vulnerable code and “good practices” around notification, patching and the like.

This podcast went a bit longer than planned, and I suspect we could have kept talking all night long! I personally learned quite a bit and enjoyed the opportunity to explore some of these issues and hear different perspectives. I hope you enjoy it too!

Joining us on this effort was:
Martin McKeay (The Network Security Podcast)
Paul Asadorian (Pauldotcom Security Weekly)
Jamal Khan (Hdaar Security Radio)
Alan Shimmel (Still Secure, After All These Years)
Ron Woerner (Security Catalyst Contributor)

Ideas? Comments? Suggestions? securitycatalyst@gmail.com

Michael (The Security Catalyst)


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. I have heard this episode today, and frankly I must say that this episode is really targeted against security guys managing 1000+ clients. The masses out there do not really care about updates for their systems unless they come from Microsoft. Really, if you are a midsized company with a proper firewall and maybe an IDS you don’t really need to care that much about holes in your system because most of them are “user related” in the sense that the vulnerabilities, in order to infect your system (Like the MySpace one) needs user interaction. Now while this, hopefully, is not an issue on servers, since we do not use servers for surfing myspace and such, what would REALLY help us out is education.

    I know I have said this before, but 9 out of 10 security issues are user related and could be prohibited with proper training. Explain what phishing is, how to be alert, how not to install activex and stuff like that. And then, lock their computers down the best you can.

    Now, to round this up, I heard you guys wanted to address the “Two-Factor Authentication” issue that recently came up. I really feel people are goinf to the wrong track on that one. Again, for this to be unsecure you would need something like phishing to take place. I am sorry to say that if your users go to a phising site that look like your coorporate intranet or your bank, but the URL states “Givemeallyourpasswordsandmoney.ru” then you have NOT educated your users well enough. It not the same as saying that TFA is not secure. The same would be to say that encryption is not secure because there was an incident where someone installed a keylogger by mistake and a hacker got their password and key and performed a man in the middle and decrypted mails that way. It does not mean that crypto is not secure.

    Just my 0.1$

  2. I have heard this episode today, and frankly I must say that this episode is really targeted against security guys managing 1000+ clients. The masses out there do not really care about updates for their systems unless they come from Microsoft. Really, if you are a midsized company with a proper firewall and maybe an IDS you don’t really need to care that much about holes in your system because most of them are “user related” in the sense that the vulnerabilities, in order to infect your system (Like the MySpace one) needs user interaction. Now while this, hopefully, is not an issue on servers, since we do not use servers for surfing myspace and such, what would REALLY help us out is education.

    I know I have said this before, but 9 out of 10 security issues are user related and could be prohibited with proper training. Explain what phishing is, how to be alert, how not to install activex and stuff like that. And then, lock their computers down the best you can.

    Now, to round this up, I heard you guys wanted to address the “Two-Factor Authentication” issue that recently came up. I really feel people are goinf to the wrong track on that one. Again, for this to be unsecure you would need something like phishing to take place. I am sorry to say that if your users go to a phising site that look like your coorporate intranet or your bank, but the URL states “Givemeallyourpasswordsandmoney.ru” then you have NOT educated your users well enough. It not the same as saying that TFA is not secure. The same would be to say that encryption is not secure because there was an incident where someone installed a keylogger by mistake and a hacker got their password and key and performed a man in the middle and decrypted mails that way. It does not mean that crypto is not secure.

    Just my 0.1$

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!