Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

This wasn't a flame... It was a simple observation.

Having read your reply I also see that you are trying
to reinvent the wheel... when you talk about
crisis management and other planning. Risk analysis,
business continuity and disaster recovery planning,
well prepared incident response procedures and policies, etc
have been practiced by security professionals for quite a while,
so they are not new concepts. There's still a lot of work
to do when it comes implementing proper security and
compliance solutions. Many companies either don't
do it or don't do it effectively, but there has been
some progress over the years. Many companies
don't even have a CSO/CISO because security
and compliance are only starting to gain the recognition
they require. Obviously, there's much
more work to do... and that's good for all of us
in the information security business :-)

As far as defense in depth goes, just like with everything
else it can be improperly implemented to a point
where it's ineffective or prohibitively disrupted to the business.
Your example is a great example of that :-) However,
it doesn't mean that the concept is useless. Simple
analogy... Let's say I pick up a cook book to make
a fancy dish, but I end up with something that
can even turns my dog green :-) Does it mean that
the recipe was bad or does it mean I shouldn't
quit my day job to become a chef?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • RE: Is IDS/IPS worthless?
    ... primary business is theirs, and other people's money, calculate technology ... role and costing of technology in a business. ... Different businesses have different teams that look into the value of risk ... Most banks now have IT security savvy staff within their audit teams - I ...
    (Focus-IDS)
  • ISO 27001 Newsletter: Edition 17 Released
    ... The latest issue of the newsletter covering the ISO information ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer ... Business Continuity Management: Preparation and Risk ...
    (comp.security.misc)
  • Re: My Frustrations
    ... Again, this is not an issue of communication, or geeks versus business men. ... This is not an issue of proving or demonstrating the quality of ones self or service. ... This is an issue of enabling the customer to make the right decision. ... landing the customer in a very poor security state, ...
    (Pen-Test)
  • Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
    ... If the desktop-based AV they buy doesn't detect the malware ... But the malware really shouldn't make it onto the network ... and therefore security measures should be kept as ... >>reasons for keeping malware off of systems, business benefit is only one ...
    (Full-Disclosure)
  • Re: Is IDS/IPS worthless?
    ... who think IDS/IPS is a "worthless waste of IT ... business is operating at a lighting speed with the help of ... network security is all about intelligence gathering ... ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
    (Focus-IDS)