A SANS and Qualys View of Security Risks, 2007

November 28th, 2007 Drazen Drazic Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance |

The work produced by SANS and Qualys stands out as some of the best data produced on the state of security risks in most cases we allow ourselves to be exposed to. More on the data shortly. Just to clarify the statement, “we allow ourselves to be exposed to”; it is what it is. Organisations persist with doing the following:

1. Not thinking strategically and giving IT security and risk management practices little more than lip service. Covered here in The 7 Reasons Why Business are Insecure. (It’s nice to see this article has received good attention elsewhere like in Anton Chuvakin’s blog).

2. Implementing systems and applications without proper security consideration, review and testing. (How long have security professionals been preaching for security to be part of every phase of the SDLC and PLC yet little has changed?)

3. Run no ongoing and proactive vulnerability assessment and management programs like QualysGuard for example…(yes, open disclosure, I like QualysGuard as you know).

4. etc etc etc….insert your own thoughts here. If you’re reading this, I probably am preaching to the converted.

Now it would be naive to say we “allow” everything. We don’t - you just can’t predict and understand every potential threat. That’s why we have risk management! Anyone remember what that term meant or what it is supposed to do? Related story; Risk Management - Great in Meetings, not so much in practice.

It’s interesting then to have a look at the SANS Top 20 Internet Security Risks of 2007 overview and detailed report. What percentage of the threats do you think could be controlled by an organisation who is serious about IT security?

3 Responses to “A SANS and Qualys View of Security Risks, 2007”

  1. Big Galoot Says:
    November 29th, 2007 at 7:52 am

    Gran Tourismo forensics…

    Congratulations to Nick Breese & the sa.com team on the Playstation 3 password cracking research.

    The ability to brute force passwords using a gaming device & at speeds many, many times faster than current methods is real outside-of-the-box thinking. Groundbreaking, even. It looks like the arms race has stepped up another notch, on both sides of the fence - since any research like this has the potential to be used for good & bad.

    But for those of us in the forensics world, we might just (at a pinch) be able to justify a PS3 for our labs !

    … For forensics purposes, of course. ;- )

    Again, great work.

    Big Galoot.

  2. Declan Ingram Says:
    November 29th, 2007 at 8:53 am

    @Big Galoot

    You may be interested in this:
    mms://content.mediaworks.co.nz/tv//News/20071128/6n_PS3_300K.wmv

    Nick on TV3. :)

    Dec.

  3. Big Galoot Says:
    November 30th, 2007 at 9:34 am

    Hey Dec,
    quick question - does Nick *really* work that fast at the binary level (seen on the tv promo frantically tapping away, changing & typing octets faster than you could type up a letter to someone)… or was this a bit of lets say, journalistic license?

    ;- )

    BG.

Leave a Reply