Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
Well, yes .... but.
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I'm asking about a true risk assessment framework not merely a checklist.
Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.
When does something like these stop being a check-list and become a framework?
COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard but in reality its a framework.
The message that these two frameworks send about risk analysis is
Context is Everything
(You expected me to say that, didn't you?)
I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.
Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).
The trouble is that RA is a bit of a 'hypothetical' exercise.
From the Journalistic Approach to Statistics Department ...
The source of this warmongering is
and Kelly Jackson Higgins uses the dramatic title
"Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh"
Well he claims a survey of "hackers" (whatever that means) at DefCon17 carried out by Tufin Technologies leads him to believe that only one fourth of all hackers are malicious. This is according to 70% of of the unknown number of respondents, who in turn make up an unknown proportion
of the groups of people who may be called, by themselves or others, "hackers".
In case you're worried about taking that last-minute summer vacation and
leaving your IT staff a little short, relax (for now, anyway): Most
hackers are taking a break now, as well, as they gear up for a busy
winter season, according to a survey of hackers attending Defcon17 in
Las Vegas this month.
Malicious hackers make up less than one-fourth of the overall hacker
community, according to 70 percent of the respondents, who were surveyed
by Tufin Technologies at the world's largest hacker conference.
Nor are we given a definition of what "malicious" means. Does this have to be unremitting evil of a fictional character like the leaders of SMERSH in the James Bond stories or the Evil Witch in "The Wizard of Oz"? How about a historically evil character like Genghis Kahn, Nero, or dare I say it, Stalin, Hitler or Saddam Hussein?
But "malicious"? Could that mean purposeful vengeance for some real or imagined (think: Fat Fredy and his cat); getting back at "The Man", Big Government, or Big Business for some ill defined political or conspiracy theory riven reason. Or perhaps "collateral damage" arising from lack of care, lack of professionalism or simple incompetence
I'm getting sick of marketeers making use of journalists like this, for that's the real reason for this. Read the rest of the article and you'll see its about Michael Hamelin, chief security architect at Tufin,
advocating what we all know: that compliance doesn't mean security. If that's your message, then say that, don't dress it up in nonsense that makes use of meaningless statistics.
Related articles by Zemanta
- GOP vs James Bond (blogs.cqpolitics.com)
- You Say That Like There's A Conflict (eschatonblog.com)
- Man, the U.S. had a crazy cyberwar plan against Iraq (that it didn't execute) (crunchgear.com)
- Literate Housewife Seal of Approval (literatehousewife.com)