Now that security pros are comfortable with Microsoft’s monthly patching cycle, so too are the malware writers. The bad guys have learned that by putting out zero-day exploits close to Patch Tuesday, Microsoft cannot respond until the following month.
Once again functionality has trumped security. Rapid deployment and development of Web 2.0 has left security as an afterthought. While that might sound somewhat gloomy, the core technologies and architecture that make up what is considered Web 2.0, including Real Simple Syndication (RSS), mashups, AJAX and more, are gaining popularity at such a rapid rate that the security risks are growing as well.
A question recently came up that left me wondering about organizational authority to accept risk or, more specifically, enterprise security risks. One of the less defined aspects of this important area I find in organizations is who in the organization has the ability to accept risk, and to what level. Very few organizations have defined threshold levels that classify the risks that individuals can and cannot accept on behalf of the organization. This can become important when you consider the decisions that staff, managers, directors and senior management make on a daily basis when there are no defined boundaries for risk acceptance.
Once upon a time, an employer asked me to sort through the office of a departing technical director for anything the security team wanted to save. Imagine my surprise when, within the printouts of technical specifications, I uncovered a dusty, haphazard stack of subpoenas. My startled query, “Were these ever answered?” was met with uneasy shrugs by the other security staff, managers, and operations directors.