Dec 17, 2020
All links and images for this episode can be found on CISO
Much of what we do as practitioners is to prevent inadvertent
security problems - oversights, zero-days, etc. What about inherent
and unavoidable problems? When the very design of the thing
requires a lack of security? What do you do then?
Check out this
post for the basis for our conversation on this week’s
episode which features me, David
producer of CISO Series, co-host Allan
Alford (@allanalfordintx), and our
sponsored guest is Dan Woods, vp of the Shape Intelligence Center,
Thanks to this week's podcast sponsor, F5.
External threats to your organization’s security are
constantly evolving. Your apps need broad and preventive protection
from bot attacks that cause large-scale fraud, higher operational
costs, and problems for your users. And they need to be optimized
for secure operation internally. Silverline Shape Defense helps you
stay ahead of cyber threats and fraud.
Get a free trial.
On this episode of Defense in Depth, you’ll learn:
- The mere act of conducting business requires you to have
certain procedures that would make you vulnerable. Simple things
like taking customer information to create user accounts and
processing credit cards. That's inherent to doing business, and by
opening that up, it makes you vulnerable.
- A lot of this inherent vulnerability comes down to having users
or customers and needing to authenticate them.
- When you start a business you're also accepting the inherent
vulnerability and you have to ask yourself to what level can the
business function having that vulnerability abused? It's all about
- Two factor authentication sure is nice, but there has to be
multiple "behind the scenes" authentications going on to verify
- As you're collecting all these additional data points you can
use that information to ask the user to verify.
- Provide discounts to customers and users for good security
practices. Insurance companies do this with people who prove safe
driving practices. It could be a win-win for everybody. For
example, with Mailchimp, they give you a discount if you enable
2FA. Why not offer a discount for a really long and complicated
- One of the major issues is the password reset process happens
through email. Email wasn't designed for critical authentication.
Many hacks happen through the reset process via email.