PaulDotCom mailing list archives

Have a laugh on me...

From: paul at pauldotcom.com (Paul Asadoorian)
Date: Mon, 12 Oct 2009 22:59:10 -0400

SR6 and everyone who has responded to this thread: thank you for
bringing up such a lively debate!

This is by no means an easy problem to tackle, nor a simple issue to
address.  On one hand you should CYA, and (this is important) make sure
that management understands the risk incurred by the decisions they have
made.  This is a balancing act that plays out in every organization. You
have business people who want to see the company succeed at all costs,
which means making customers happy and profit.  You also have IT
security who should be conveying the risks appropriately.

I know we don't always "Win" and cause people to have that "aha!" moment
about security, but we can't stop trying.  Again, don't be shy about
CYA, but don't give up on educating people and trying to striking a
balance between security and usability.  Sure, we could make it super
easy to access the company portal, but attackers may have a field day.
We could also make the web site insanely secure, but then people would
have a tough time using it.

The answer lies somewhere in between, and its up to you as a security
professional to work with your organization to figure out exactly where
"Security" falls in this scheme.  Don't get me wrong, this is one of the
hardest things we all have to do as security professionals, I only hope
that we (i.e. pauldotcom) can help you (and I hope that we have, and if
not keep asking questions :)

Cheers,
Paul

Soft Reset wrote:

Without spilling details, I told the IT team to remove an exposed web
portal from the internet as it was not SSL protected and the password
was easy enough to be found in my kid's "My First Dictionary".  This is
the response I got back from our "top guy":

 "Many people need access to the web portal.  Remember that one of the
objectives is to develop a strategy
  for the customer. Easier access, not harder, should be the goal."

I laughed.  How about you?


--SR6


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

Current thread:

Have a laugh on me..., (continued)
- - Have a laugh on me... Kennith Asher (Oct 12)
    - Have a laugh on me... Vincent Lape (Oct 12)
    - Have a laugh on me... Kennith Asher (Oct 12)
    - Have a laugh on me... Dan McGinn-Combs (Oct 13)
    - Have a laugh on me... infolookup at gmail.com (Oct 13)
    - Have a laugh on me... Jason Wood (Oct 12)
    - Have a laugh on me... iamnowonmai (Oct 12)
  - Have a laugh on me... Dimitrios Kapsalis (Oct 12)
  - Have a laugh on me... craig bowser (Oct 12)
- Have a laugh on me... Michael Dickey (Oct 12)
- Have a laugh on me... Paul Asadoorian (Oct 12)