In response to an August Opinion column, Affiliate programs: legitimate business or fueling cybercrime?, by Bradley Anstis, VP technical strategy, M86 Security:
I am the affiliate manager for a large brand. We find that just the mention of affiliate marketing can leave a bad taste in people's mouths. There are many affiliate programs that just promote junk, don't stand behind their product, and rarely pay out when they are supposed to. It makes my job much more difficult, but when I do get someone to sign up, and they start seeing real dollars, they are true believers in affiliate marketing.
Nathan O'Leary
In response to the Debate in the September issue, Security awareness training is a worthwhile investment (Amrit Williams, CSO at Quantivo, argues that educating the workforce is not enough to protect corporate resources):
Pardon me, Amrit, but that seems to be a very narrow and uninformed take on awareness training. We all know a layered defense is required and that if your company is in the sights of an APT team, you will eventually go down. But having an informed workforce is probably one of the easiest and most cost-effective steps you can take to reduce help desk nuisance calls, i.e., a Windows alert told me I had new viruses on my system and I had to click to remove them, what do I do now?
If your philosophy was accurate, we wouldn't need to have driver training for new drivers, because as we all know, everyone follows the rules, all the time. But if you don't know the danger exists, many will proceed and break those rules.
RickSwimmer
Amrit Williams responds: I disagree. I believe that no matter what you tell people, someone somewhere is opening a malware-laden email because he really does believe that someone somewhere does love him.
You highlight the general theme of most arguments for security awareness training ... awareness training empowers all employees to make better decisions. Sure, but only when you have implemented all the proper controls and you are wanting to add yet another layer, but never, ever is awareness training a substitute for real controls.
Human behavior is inherently chaotic. You can gather a hundred people and tell them don't do this, and they will nod and smile and then go back to their desks and click on links from Nigerian scammers - not because they are stupid, or awareness training is good or bad, but simply because they are human.
In response to an August Opinion, Voicemail hacking, by Kroll Ontrack's Alan Brill:
It's even worse than what is described here. By default on most systems, you can just spoof the caller ID of the person's mobile phone (which is very easy to do) and bypass the need to enter a password altogether.
Andinator
In response to Editor-in-Chief Illena Armstrong's July editorial, You might be next:
To state that all those with valuable systems, information or resources will be a victim of a cybercrime is akin to saying we are at risk of a heart attack. Prevention isn't the game. It's about survivability. Cyber executives who take a 'build it then secure it' approach will have a far more difficult time surviving a cybersecurity incident than those with the discipline of building and maintaining secure technologies from the onset.
Jeff Sherwood
In response to an August news story, PCI Council revokes company's QSA status:
So long as PCI allows QSAs to perform the validation and implement the solutions, one should expect the issue to continue. What are the chances a QSA is going to find an issue with solutions they recommended and implemented in subsequent validations? Zero percent. At my initial QSA training, the instructor told the class that nine out of every 10 dollars QSA firms earn will be from the implementation of solutions. Hence, everyone gives away the validation in hopes of making the consulting bucks. PCI can never be taken seriously so long as there are no independence requirements, and QSAs are engaged to review the results of their own work.
QSAToo
In response to a July story, UCLA Health System fined over celebrity patient snooping:
Nice article. Hospitals in general need to do a better job of making employees aware of the HIPAA and HITECH requirements like these. I have found that employees do not completely understand the HIPAA regulations nor the implications of not following them. Just displaying the medical record of a patient without a valid business purpose is a privacy breach. My advice to UCLA Health System, first and foremost, is to provide education to all employees. They can expect that auditors will ensure access to patient information is being logged and that someone is reviewing the log, especially for celebrity patients. It will be interesting to see the practice changes UCLA Health Systems and other hospitals put into place.
Kerry Shackelford, www.coalfiresystems.com
Got something to say?
Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. we reserve the right to edit letters
Комментариев нет:
Отправить комментарий
Примечание. Отправлять комментарии могут только участники этого блога.