Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Two-Factor Authentication on the Web

from [Devdas Bhagat] Network Security [Permanent Link]
Subject: Re: Two-Factor Authentication on the Web
Date: Mon, 17 Jul 2006 13:38:00 +0530 
On 28/06/06 23:41 -0600, Tim wrote:

Risk Based Authentication is a good idea as it goes back to 'why spend
more on security controls then the value of the data'. I got to check


Catching up on older mail here. There is a fatal flaw in the "why spend
more..." philosophy when it comes to dealing with shared data. Shared
data has different values for different parties involved.

For a bank, customer personal data is a one in a million statistic. For
that customer, it is one in one. If my personal data is compromised, I
get hit really hard. The bank does not.

So how much should data be valued at? Perhaps valuing it at the entire
net worth of the customer(s) involved would be realistic? Or should the
bank have to bear the entire burden of loss attributable to that data 
compromise?


out Ira Winkler's speech the other week and he made an interesting
comment in that money for security, most of the time, comes out of the
IT budget. The problem with that is the cost of securing the data may
cost more then what the IT budget can afford. If you are responsible
for securing data that could cost tens or hundreds of billions, why
would you only use 5% of the IT budget to protect that investment?


Because the problem with valuing data is that different entities have
different values for the same data. The organisation may not value the
entire dataset as being worth billions, and if the risk is losing a
few thousand of a billion records, then obviously that is the total
value that the organisation will try to secure.

Devdas Bhagat

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Is there an Open Source Vulnerability Analysis Framework?, Gareth Davies
Next by Date:  Re: Is there an Open Source Vulnerability Analysis Framework?, Christian Martorella
Previous by Thread:  Directed phishing attacks- protection methods, Joshua Perrymon
Next by Thread:  Re: Two-Factor Authentication on the Web, Nick Owen
Indexes:  [Date] [Thread] [Top] [All Lists]