Merry Festivus: Commence the "Airing of Infosec Grievaces"

In honor of today's holiday, Festivus (for those familiar with Seinfeld)... what is on your list of infosec grievances for 2009?  What's the "wins" for the year?  Use the comment feature on these entry, will update with a Top 10 list assuming we get enough responses.

John Bambenek
bambenek at gmail /dot/ com


262 Posts
ISC Handler
Dec 23rd 2009
Adobe, for the vulnerability of every week.
It would be a festivus miracle if fake antivirus malware would disappear from the web.
"It would be a festivus miracle if fake antivirus malware would disappear from the web."

That would be quite a feat.

I vote for javascript or flash.
Another vote for Fake Antivirus being probably the most annoying. I see 3-4 alerts a week of this being blocked by our HIPS... a few sneak through that need to be cleaned here and there.

29 Posts
Down here in the trenches, still fighting with minimal budget, resources or even casual management interest. What worse is that my employer is a security services provider! The only thing Mgmt care about is sales -- so please, help me out -- question your vendors as aggressively as you can. Ask them to prove their claims. Ask them everything you can think of. Read the answers thinking "What are these people lying to me about?"
4 Posts
...vendor snakeoil (as Grunt said). Sat through a VOIP pitch via a network that's "private and secure" - and every person in the room assumed the definitions to be of merit. When I asked, though, the salepig could not define either of those terms - and after much legwork, "private" turned out to be "the same that everyone else uses, but we own parts of it". As for "secure"? After a call to their top tech people I got them to assure us that the encryption is at least as strong as ROT13, but more likely equiv to the upgraded version of ROT26. Authentication was a simple MAC filter. Major carrier, btw. :)

42 Posts
Javascript in PDF docs: PDFs should = static ...
Scareware/fraudware/rogue security apps ... Minimal budget ... Lack of interest by management toward infosec risk management, and thus always first dept to receive budget cuts

1 Posts
Merchants who want to force activation of
Verified by Visa or MasterCard SecureCode to
complete a purchase. Every December, we get a ton
of Helpdesk calls from users who can't tell
whether it's phishing. Because, well, there isn't
any good way to tell, is there?
1. Technical Project Managers that aren't.
"Sharepoint is secure because MS said so, teehee!"
2. CISSP's that don't even know how to port scan but proudly declare themselves security professionals.
IPS/IDS Vendors that do not provide the string or hex match description for there signatures.
The government's idea that "more regulation = more security". Someone please tell me how we're supposed to apply multiple standards to meet multiple laws/regulations - all we're really doing is chasing compliance, not implementing security.

21 Posts
Double Post :)
9 Posts
I'd have to agree with the Adobe PDF vulnerabilities as well - our environment has version 4.0+ with no one to fix this by removing the old versions and update to the new one via SCCM.

WebDav/IIS vulnerabilities, a few of those came out and in our environment all of our developers run IIS..Why? I can’t tell you.

Conficker (duh)

UDP over port 80...that was interesting to see in our environment.

But my all time favorite is 'let’s give everyone admin rights to desktops'....something in our environment that is so bad about.

Sr Management responsible for infosec that doesn't have a clue...ditto for internal auditors
Adobe Security eg. lack thereof
HTML in email
People let online w/o a "Internet Drivers License"
Parents that do not monitor their kids online
Did I mention Javascript?
IT Managers who insist upon standards and policy only to ignore the same when it inconveniences them.

IT Staff who believe policy doesn't apply to them because they have elevated rights for a reason, correct?

HR Management that refuses to address IT Policy violations because they don't understand the issue, it creates more work for them, and their own staff who are some of the biggest violators.

Ok, in short, policies and standards that are all bark, no bite.

57 Posts
Clusers (LAN+user= luser; clueless+luser= cluser)
Hacktive X
1 Posts
PDF exploits
Fake AV
Facebook/Google "privacy"
China/Russia. Yes, both of you.

Lots of security work
Gov't focus on cyber security
There has to be more, right? It escapes me now...
6 Posts
How about, "I upgraded my Flash, but the old Flash files are still there"?
1 Posts
my top 3 infosec grievances for 2009....

1. the notion that (PCI) compliant == secure
2. 'uninformed' developers. how anyone believes it still 'ok' not to validate ALL input is beyond me
3. another year passes and we still have to explain why patching is a good thing

1 Posts

Sign Up for Free or Log In to start participating in the conversation!