Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Two-Factor Authentication on the Web

Re: Two-Factor Authentication on the Web

From: Devdas Bhagat <devdas_at_dvb.homelinux.org>
Date: Mon, 17 Jul 2006 13:38:00 +0530

On 28/06/06 23:41 -0600, Tim wrote:
> Risk Based Authentication is a good idea as it goes back to 'why spend
> more on security controls then the value of the data'. I got to check

Catching up on older mail here. There is a fatal flaw in the "why spend
more..." philosophy when it comes to dealing with shared data. Shared
data has different values for different parties involved.

For a bank, customer personal data is a one in a million statistic. For
that customer, it is one in one. If my personal data is compromised, I
get hit really hard. The bank does not.

So how much should data be valued at? Perhaps valuing it at the entire
net worth of the customer(s) involved would be realistic? Or should the
bank have to bear the entire burden of loss attributable to that data
compromise?

> out Ira Winkler's speech the other week and he made an interesting
> comment in that money for security, most of the time, comes out of the
> IT budget. The problem with that is the cost of securing the data may
> cost more then what the IT budget can afford. If you are responsible
> for securing data that could cost tens or hundreds of billions, why
> would you only use 5% of the IT budget to protect that investment?
>
Because the problem with valuing data is that different entities have
different values for the same data. The organisation may not value the
entire dataset as being worth billions, and if the risk is losing a
few thousand of a billion records, then obviously that is the total
value that the organisation will try to secure.

Devdas Bhagat

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
Received on Jul 17 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos