0-days are a lot of fun. Whether it’s an overlooked buffer overflow, a poorly implemented encryption algorithm, or something downright bizarre, the thrill of breaking things is the reason most of us get hooked. That’s why Trustwave’s Global Security report is a bit sobering. Why are so many of these systems still vulnerable to SQL injection, LANMAN hash recovery, and default password guessing? And is an NFS exploit considered a 7665-day?
But this isn’t about getting bent out of shape about the state of information security. Without being too preachy, this talk is about what we can do to help turn things around. Because if there’s one thing that is clear, the need for information security will only increase. And we’re all feeling the growing pains.
The end of 2009 brought with it a great deal of controversy over the effectiveness of information security. We’re all pretty frustrated about it. But that’s the thing about growing up – you start to realize your own limitations. Like dieticians and dentists, we watch people make bad choices and wonder where we went wrong. And like them, we need to focus on the fundamentals: eating healthy, brushing your teeth, and blocking port 139. But man, that sounds pretty boring.
So maybe it’s time for a new approach. Maybe it’s not so much about the message, but how it’s getting delivered. And maybe there’s something we can do about that. After all, we’re pretty secure folks – we can handle the touchy-feely stuff, right?