SECtember

 View Only

  • 1.  Q&A: Talking to the Board About the New Realities of IT Security

    Posted Sep 11, 2020 10:18:00 AM
    Hi All!

    Thanks for joining us for yesterday's SECtember Experience webinar, "Talking to the Board About the New Realities of IT Security."

    You can find a recording of the presentation here! Talking to the Board About the New Realities of IT Security

    We received some really great questions from the audience during the presentation if anyone wants to chime in here with their thoughts.

    My guess is more network storage was needed to store video from the additional IP cameras that were added. What are your thoughts?

    Aren't app vulnerabilities just vulnerabilities and not threats? Or is there a difference between a threat and a threat actor?

    Thanks all,

    ------------------------------
    Jaclyn Parton
    Marketing Coordinator
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Q&A: Talking to the Board About the New Realities of IT Security

    Posted Sep 11, 2020 12:12:00 PM
    @Tracy Vojik Do you have any insight into these questions from the presentation? Thanks for joining us!! ​

    ------------------------------
    Jaclyn Parton
    Marketing Coordinator
    Cloud Security Alliance
    Bellingham WA
    ------------------------------

    Original Message


  • 3.  RE: Q&A: Talking to the Board About the New Realities of IT Security

    Posted Sep 11, 2020 12:26:00 PM
    So from my perspective, with respect to:

    Aren't app vulnerabilities just vulnerabilities and not threats? Or is there a difference between a threat and a threat actor?

    From a pedantic standpoint: A vulnerability is just a vulnerability, a threat is the intention combined with the capability of exploiting it. So in this erespect a vulnerability is a vulnerability, it doesn't matter what it is in.

    From a more practical standpoint: Things get slightly more interesting when you take a traditional vulnerability (e.g. a vulnerability in a library) and combine them into production applications where:

    1. The vulnerability is actually exploitable because it is exposed, for example in a web based app/site
    2. There is some reward for exploitation, they can steal data, hijack resources, etc.
    These combined create two powerful incentives, you have both a vulnerability that now has the capability of being exploited because it is exposed (so cost is lowered), AND the intention to exploit it is driven by the fact that there is now a reward for doing so (so reward is raised).

    So in practical terms I would make a distinction between a vulnerability in the library (which is a more academic concern) and a vulnerability in a library as used in an application, or a vulnerability native to the application because in simple terms: the attacker is much more incentivized to exploit it.

    ------------------------------
    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]
    ------------------------------

    Original Message