Comments on: Botnets, Malware and the Fortune 100 http://cassandrasecurity.com/?p=859 Analysis of the security industry, and all that it influences. Tue, 11 May 2010 22:04:58 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Ken Beames http://cassandrasecurity.com/?p=859&cpage=1#comment-351 Ken Beames Wed, 16 Dec 2009 20:27:10 +0000 http://cassandrasecurity.com/?p=859#comment-351 Right-o Scott! I'm looking forward to reading the next installment! All the best! -Ken. Right-o Scott! I’m looking forward to reading the next installment!

All the best! -Ken.

]]> By: Scott Lupfer http://cassandrasecurity.com/?p=859&cpage=1#comment-340 Scott Lupfer Tue, 15 Dec 2009 03:51:38 +0000 http://cassandrasecurity.com/?p=859#comment-340 Ken, thanks for the comment and I'm glad you take issue with my first assumption because that is the basis of my "more later" statement. There is a huge gap between what a company may have the resources or ability to do and what they choose to actually do with regards to security. If that were not true we wouldn't need PCI DSS to tell us how to protect credit card information or HIPAA to tell us how to protect personal healthcare information or...you get the idea. We wouldn't need these legislative and/or regulatory requirements because organizations would choose to implement quality security programs from the start rather than wait for something to happen to analyze whether or not they should do something from preventing that from happening again. Thanks again for your comment and your sharing your experience. Scott Ken, thanks for the comment and I’m glad you take issue with my first assumption because that is the basis of my “more later” statement. There is a huge gap between what a company may have the resources or ability to do and what they choose to actually do with regards to security. If that were not true we wouldn’t need PCI DSS to tell us how to protect credit card information or HIPAA to tell us how to protect personal healthcare information or…you get the idea.

We wouldn’t need these legislative and/or regulatory requirements because organizations would choose to implement quality security programs from the start rather than wait for something to happen to analyze whether or not they should do something from preventing that from happening again.

Thanks again for your comment and your sharing your experience.

Scott

]]> By: Ken Beames http://cassandrasecurity.com/?p=859&cpage=1#comment-339 Ken Beames Mon, 14 Dec 2009 16:40:36 +0000 http://cassandrasecurity.com/?p=859#comment-339 Scott, great thoughts. I do have issue with your first assumption. I used to work for a very large bank in the information risk management group, and though they had the resources, were coveted by every security vendor on the planet, and had established positions, policies and procedures, the business drivers were such that risk was something to take the run at. They made more money than fines, or bad press would impact and when faced with a choice to secure, or not to secure, they usually choose to not secure as it would impact the business in interruption of service, impact on flexibility of working, etc. What I learned is that running the risk (acceptable residual risk), whether formally, or informally accepted (like through denial) is a relatively effective risk management strategy for them. All the best! -Ken. Scott, great thoughts. I do have issue with your first assumption. I used to work for a very large bank in the information risk management group, and though they had the resources, were coveted by every security vendor on the planet, and had established positions, policies and procedures, the business drivers were such that risk was something to take the run at. They made more money than fines, or bad press would impact and when faced with a choice to secure, or not to secure, they usually choose to not secure as it would impact the business in interruption of service, impact on flexibility of working, etc.

What I learned is that running the risk (acceptable residual risk), whether formally, or informally accepted (like through denial) is a relatively effective risk management strategy for them.

All the best! -Ken.

]]> By: Will Gragido http://cassandrasecurity.com/?p=859&cpage=1#comment-259 Will Gragido Wed, 09 Dec 2009 00:10:31 +0000 http://cassandrasecurity.com/?p=859#comment-259 Scott, Great article. Great post. That was a troubling story and the facts as you pointed out are pretty staggering as are the unanswered questions (or details which have not been provided), pertaining the remainder of the Fortune 500. This I think demonstrates the need for advanced solution sets and different approaches to threat mitigation. Botnets in particular are devilishly difficult to detect and address as in many respects they utilize sophisticated routing solutions, topoogies, C&C elements, cryptography etc. Botnets are definitely not your father's malware! Scott,

Great article. Great post. That was a troubling story and the facts as you pointed out are pretty staggering as are the unanswered questions (or details which have not been provided), pertaining the remainder of the Fortune 500. This I think demonstrates the need for advanced solution sets and different approaches to threat mitigation. Botnets in particular are devilishly difficult to detect and address as in many respects they utilize sophisticated routing solutions, topoogies, C&C elements, cryptography etc. Botnets are definitely not your father’s malware!

]]>