WebApp Sec mailing list archives
Re: Two-Factor Authentication on the Web
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Mon, 17 Jul 2006 13:38:00 +0530
On 28/06/06 23:41 -0600, Tim wrote:
Risk Based Authentication is a good idea as it goes back to 'why spend more on security controls then the value of the data'. I got to check
Catching up on older mail here. There is a fatal flaw in the "why spend more..." philosophy when it comes to dealing with shared data. Shared data has different values for different parties involved. For a bank, customer personal data is a one in a million statistic. For that customer, it is one in one. If my personal data is compromised, I get hit really hard. The bank does not. So how much should data be valued at? Perhaps valuing it at the entire net worth of the customer(s) involved would be realistic? Or should the bank have to bear the entire burden of loss attributable to that data compromise?
out Ira Winkler's speech the other week and he made an interesting comment in that money for security, most of the time, comes out of the IT budget. The problem with that is the cost of securing the data may cost more then what the IT budget can afford. If you are responsible for securing data that could cost tens or hundreds of billions, why would you only use 5% of the IT budget to protect that investment?
Because the problem with valuing data is that different entities have different values for the same data. The organisation may not value the entire dataset as being worth billions, and if the risk is losing a few thousand of a billion records, then obviously that is the total value that the organisation will try to secure. Devdas Bhagat ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- RE: Two-Factor Authentication on the Web Gaydosh, Adam (Jul 02)
- <Possible follow-ups>
- RE: Two-Factor Authentication on the Web Glenn.Everhart (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 03)
- Re: Two-Factor Authentication on the Web Andrew van der Stock (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 03)
- RE: Two-Factor Authentication on the Web Popowycz, Alex (Jul 05)
- RE: Two-Factor Authentication on the Web Lyal Collins (Jul 05)
- RE: Two-Factor Authentication on the Web James Pujals (Jul 05)
- RE: Two-Factor Authentication on the Web PPowenski (Jul 06)
- Re: Two-Factor Authentication on the Web mikeiscool (Jul 07)
- Re: Two-Factor Authentication on the Web Devdas Bhagat (Jul 17)