Threat Level: green Handler on Duty: John Bambenek

SANS ISC: Merry Festivus: Commence the "Airing of Infosec Grievaces" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Merry Festivus: Commence the "Airing of Infosec Grievaces"

In honor of today's holiday, Festivus (for those familiar with Seinfeld)... what is on your list of infosec grievances for 2009?  What's the "wins" for the year?  Use the comment feature on these entry, will update with a Top 10 list assuming we get enough responses.

--
John Bambenek
bambenek at gmail /dot/ com

John

245 Posts
ISC Handler
Adobe, for the vulnerability of every week.
Anonymous
Posts
It would be a festivus miracle if fake antivirus malware would disappear from the web.
Anonymous
Posts
"It would be a festivus miracle if fake antivirus malware would disappear from the web."

That would be quite a feat.

blog.fireeye.com/research/2009/04/botnetweb.html
blog.fireeye.com/research/2009/04/botnetweb-part-ii.html

I vote for javascript or flash.
Anonymous
Posts
Another vote for Fake Antivirus being probably the most annoying. I see 3-4 alerts a week of this being blocked by our HIPS... a few sneak through that need to be cleaned here and there.
Shawn

29 Posts Posts
Down here in the trenches, still fighting with minimal budget, resources or even casual management interest. What worse is that my employer is a security services provider! The only thing Mgmt care about is sales -- so please, help me out -- question your vendors as aggressively as you can. Ask them to prove their claims. Ask them everything you can think of. Read the answers thinking "What are these people lying to me about?"
Anonymous
Posts
...vendor snakeoil (as Grunt said). Sat through a VOIP pitch via a network that's "private and secure" - and every person in the room assumed the definitions to be of merit. When I asked, though, the salepig could not define either of those terms - and after much legwork, "private" turned out to be "the same that everyone else uses, but we own parts of it". As for "secure"? After a call to their top tech people I got them to assure us that the encryption is at least as strong as ROT13, but more likely equiv to the upgraded version of ROT26. Authentication was a simple MAC filter. Major carrier, btw. :)
Steven

42 Posts Posts
Javascript in PDF docs: PDFs should = static ...
Scareware/fraudware/rogue security apps ... Minimal budget ... Lack of interest by management toward infosec risk management, and thus always first dept to receive budget cuts
GregF

1 Posts Posts
Merchants who want to force activation of
Verified by Visa or MasterCard SecureCode to
complete a purchase. Every December, we get a ton
of Helpdesk calls from users who can't tell
whether it's phishing. Because, well, there isn't
any good way to tell, is there?
Anonymous
Posts
1. Technical Project Managers that aren't.
"Sharepoint is secure because MS said so, teehee!"
2. CISSP's that don't even know how to port scan but proudly declare themselves security professionals.
Anonymous
Posts
IPS/IDS Vendors that do not provide the string or hex match description for there signatures.
Anonymous
Posts
The government's idea that "more regulation = more security". Someone please tell me how we're supposed to apply multiple standards to meet multiple laws/regulations - all we're really doing is chasing compliance, not implementing security.
Lee

21 Posts Posts
Double Post :)
Anonymous
Posts
I'd have to agree with the Adobe PDF vulnerabilities as well - our environment has version 4.0+ with no one to fix this by removing the old versions and update to the new one via SCCM.

WebDav/IIS vulnerabilities, a few of those came out and in our environment all of our developers run IIS..Why? I can’t tell you.

Conficker (duh)

UDP over port 80...that was interesting to see in our environment.

But my all time favorite is 'let’s give everyone admin rights to desktops'....something in our environment that is so bad about.


Anonymous
Posts
Sr Management responsible for infosec that doesn't have a clue...ditto for internal auditors
Anonymous
Posts
Javascript
Adobe Security eg. lack thereof
Javascript
PHP
Javascript
SQL
Javascript
HTML in email
Javascript
People let online w/o a "Internet Drivers License"
Javascript
Parents that do not monitor their kids online
Did I mention Javascript?
Anonymous
Posts
IT Managers who insist upon standards and policy only to ignore the same when it inconveniences them.

IT Staff who believe policy doesn't apply to them because they have elevated rights for a reason, correct?

HR Management that refuses to address IT Policy violations because they don't understand the issue, it creates more work for them, and their own staff who are some of the biggest violators.

Ok, in short, policies and standards that are all bark, no bite.
Alan

57 Posts Posts
Clusers (LAN+user= luser; clueless+luser= cluser)
Symantec
IE
Adobe
Hacktive X
IE
Anonymous
Posts
Grievances:
%4A%61%76%61%53%63%72%69%70%74
PDF exploits
Conficker
Fake AV
Facebook/Google "privacy"
China/Russia. Yes, both of you.

Wins:
Lots of security work
Gov't focus on cyber security
There has to be more, right? It escapes me now...
Anonymous
Posts
How about, "I upgraded my Flash, but the old Flash files are still there"?
Anonymous
Posts
my top 3 infosec grievances for 2009....

1. the notion that (PCI) compliant == secure
2. 'uninformed' developers. how anyone believes it still 'ok' not to validate ALL input is beyond me
3. another year passes and we still have to explain why patching is a good thing

Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!