Honestly, I have never-ever-ever seen people more confused than this about what are threats and what are vulnerabilities.
Just an idea: Richard Bejtlich should start a doghouse on his blog, kinda like what Bruce Schneier has for crappy crypto on people who mix up the definitions of threats, assets and vulnerabilities. Examples:
" Here are some relatively common security threats to help you get started in creating your company's threat list:
Computer and network passwords.
[...]
Data backups
[...]
Long-distance calling"
etc.
The article is also full of hilarious blurbs such as this "Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities."
Stuff like this makes people not take the security profession seriously...
3 comments:
Hi Anton,
I don't have the energy to attack that article. It's like Kryptonite. Noooo!
Actually, I think I will be implementing steganography for all my corporate users. From now on, all emails will be encoded into images.
I couldn't agree more. That article almost had me in tears it was so bad. The author needs a basic course in risk concepts, or to read some of the NIST papers on the topic, at least.
Post a Comment