·Time Warner Cable
Roger Grimes is always a good source for a laugh or a point of serious contention.
"Few people understand the yearning for a security panacea like I do. After all, I've been a security consultant for 25-plus years -- I wish there was a magic solution! That way, I wouldn't have to keep repeating myself and telling clients to take care of the basics over and over. They never do, so I keep talking until I'm hoarse."
Roger, if after 25 years of repeating yourself over & over only to fall on deaf ears maybe the problem is with what you're saying??
"Nevertheless, the security industry keeps coming up with solutions that masquerade as magic bullets. In fact, the five defenses I describe here all have value -- but none of them are game-changers, despite the heavy hype.".
That is not consistent with your headline: "5 hot security defenses that don't deliver"
Which statement was assisted with auto-fill?
I vote for both of them because you're the only person I've seen calling these security layers "magic bullets".
Security dud No. 1: Two-factor authentication
Rarely a week goes by without a service provider mentioning it now offers two-factor authentication (2FA). This includes a who's-who in major service offerings such as Amazon Web Services, Dropbox, Facebook, Google, and Microsoft, to name a few. Better authentication can't hurt security, but it isn't a panacea for our larger computer crime issues, despite the legions who appear to believe that 2FA alone can save them."
the fuck besides YOU has called two-factor authentication a panacea for anything?
You specifically mention "Amazon Web Services, Dropbox, Facebook, Google, and Microsoft"
Can you show even one example of 'anyone' from any of these outfits that have called two-factor authentication a security panacea.
You won't because you can't - you made that up so that you could 'expose' the truth.
Like an arsonist being the hero by sounding the alarm.
"Unfortunately, most computer crime is committed by bad guys who've compromised the victim's legitimate device by taking advantage of unpatched software or inducing the user to unknowingly execute a Trojan. Call it a man-in-the-endpoint attack"
Well ya, it is called a "man-in-the-endpoint attack" what else would it be called??
Besides, with a man-in-the-endpoint attack two-factor authentication can slow a bad guy down or even prevent an authentication abuse.
"Attackers then use the user's legitimate access for bad acts. Unfortunately, 2FA can't change that; in fact, 2FA has been shown to be useless in endpoint attacks over and over."
Over and over, over and over, over and over is still not the same thing as "always".
It's a frigging layer, not the panacea you are trying to make it out to be.
"The scenario goes like this:
The bad guy exploits the legitimate user's computer, often through unpatched software or via Trojan. The user logs in using 2FA to their computer or remote service. The bad guy then piggybacks on that legitimate, authorized access to do malicious things
you have a deadline but rather than work at finding a credible security issue you make up BS quotes staying out of legal issues by never actually providing the source of your own quotes, toss in widely recognized brands for credibility then add facts that were published in 2007 as if their new.
Raise the bar dude.
|reply to daveinpoway |
"If it was made by human hands, it can be broken by human hands" -- Me, on security...
Good "on the other hand...." article, 'specially when the Boss comes in eyes aglitter saying "we need one of these..."