Merry Festivus: Commence the "Airing of Infosec Grievaces"

Published: 2009-12-23. Last Updated: 2009-12-23 16:03:53 UTC
by John Bambenek (Version: 1)
21 comment(s)

In honor of today's holiday, Festivus (for those familiar with Seinfeld)... what is on your list of infosec grievances for 2009?  What's the "wins" for the year?  Use the comment feature on these entry, will update with a Top 10 list assuming we get enough responses.

--
John Bambenek
bambenek at gmail /dot/ com

Keywords:
21 comment(s)

Comments

Adobe, for the vulnerability of every week.
It would be a festivus miracle if fake antivirus malware would disappear from the web.
"It would be a festivus miracle if fake antivirus malware would disappear from the web."

That would be quite a feat.

blog.fireeye.com/research/2009/04/botnetweb.html
blog.fireeye.com/research/2009/04/botnetweb-part-ii.html

I vote for javascript or flash.
Another vote for Fake Antivirus being probably the most annoying. I see 3-4 alerts a week of this being blocked by our HIPS... a few sneak through that need to be cleaned here and there.
Down here in the trenches, still fighting with minimal budget, resources or even casual management interest. What worse is that my employer is a security services provider! The only thing Mgmt care about is sales -- so please, help me out -- question your vendors as aggressively as you can. Ask them to prove their claims. Ask them everything you can think of. Read the answers thinking "What are these people lying to me about?"
...vendor snakeoil (as Grunt said). Sat through a VOIP pitch via a network that's "private and secure" - and every person in the room assumed the definitions to be of merit. When I asked, though, the salepig could not define either of those terms - and after much legwork, "private" turned out to be "the same that everyone else uses, but we own parts of it". As for "secure"? After a call to their top tech people I got them to assure us that the encryption is at least as strong as ROT13, but more likely equiv to the upgraded version of ROT26. Authentication was a simple MAC filter. Major carrier, btw. :)
Javascript in PDF docs: PDFs should = static ...
Scareware/fraudware/rogue security apps ... Minimal budget ... Lack of interest by management toward infosec risk management, and thus always first dept to receive budget cuts
Merchants who want to force activation of
Verified by Visa or MasterCard SecureCode to
complete a purchase. Every December, we get a ton
of Helpdesk calls from users who can't tell
whether it's phishing. Because, well, there isn't
any good way to tell, is there?
1. Technical Project Managers that aren't.
"Sharepoint is secure because MS said so, teehee!"
2. CISSP's that don't even know how to port scan but proudly declare themselves security professionals.
IPS/IDS Vendors that do not provide the string or hex match description for there signatures.

Diary Archives