Merry Festivus: Commence the "Airing of Infosec Grievaces"

Published: 2009-12-23. Last Updated: 2009-12-23 16:03:53 UTC
by John Bambenek (Version: 1)
21 comment(s)

In honor of today's holiday, Festivus (for those familiar with Seinfeld)... what is on your list of infosec grievances for 2009?  What's the "wins" for the year?  Use the comment feature on these entry, will update with a Top 10 list assuming we get enough responses.

--
John Bambenek
bambenek at gmail /dot/ com

Keywords:
21 comment(s)

Comments

Adobe, for the vulnerability of every week.

Steve

Dec 23rd 2009
1 decade ago

It would be a festivus miracle if fake antivirus malware would disappear from the web.

bpfinn

Dec 23rd 2009
1 decade ago

"It would be a festivus miracle if fake antivirus malware would disappear from the web."

That would be quite a feat.

blog.fireeye.com/research/2009/04/botnetweb.html
blog.fireeye.com/research/2009/04/botnetweb-part-ii.html

I vote for javascript or flash.

joeblow

Dec 23rd 2009
1 decade ago

Another vote for Fake Antivirus being probably the most annoying. I see 3-4 alerts a week of this being blocked by our HIPS... a few sneak through that need to be cleaned here and there.

Shawn

Dec 23rd 2009
1 decade ago

Down here in the trenches, still fighting with minimal budget, resources or even casual management interest. What worse is that my employer is a security services provider! The only thing Mgmt care about is sales -- so please, help me out -- question your vendors as aggressively as you can. Ask them to prove their claims. Ask them everything you can think of. Read the answers thinking "What are these people lying to me about?"

Grunt

Dec 23rd 2009
1 decade ago

...vendor snakeoil (as Grunt said). Sat through a VOIP pitch via a network that's "private and secure" - and every person in the room assumed the definitions to be of merit. When I asked, though, the salepig could not define either of those terms - and after much legwork, "private" turned out to be "the same that everyone else uses, but we own parts of it". As for "secure"? After a call to their top tech people I got them to assure us that the encryption is at least as strong as ROT13, but more likely equiv to the upgraded version of ROT26. Authentication was a simple MAC filter. Major carrier, btw. :)

Steven

Dec 23rd 2009
1 decade ago

Javascript in PDF docs: PDFs should = static ...
Scareware/fraudware/rogue security apps ... Minimal budget ... Lack of interest by management toward infosec risk management, and thus always first dept to receive budget cuts

Greg

Dec 23rd 2009
1 decade ago

Merchants who want to force activation of
Verified by Visa or MasterCard SecureCode to
complete a purchase. Every December, we get a ton
of Helpdesk calls from users who can't tell
whether it's phishing. Because, well, there isn't
any good way to tell, is there?

JudyB

Dec 23rd 2009
1 decade ago

1. Technical Project Managers that aren't.
"Sharepoint is secure because MS said so, teehee!"
2. CISSP's that don't even know how to port scan but proudly declare themselves security professionals.

YuleMonster

Dec 23rd 2009
1 decade ago

IPS/IDS Vendors that do not provide the string or hex match description for there signatures.

Kostas

Dec 23rd 2009
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives