Skip to main content

Posts

Showing posts from October, 2014

Response to Anup’s post “The Three Most Common Myths in Enterprise Security”

I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance. Myth 1: We can patch our way to security Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for critical s , with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rat