00:20:53

With Stuart McClure Part 1/2
Policy compliance -> risk metric -> reporting of risk management start with vulnerability management - > security risk management -> eventually policy & compliance management.

Vulnerability management: looking at the design flaws of SW & HW, looking for policy that will prevent those vulnerabilities to be exploited even if the vulnerabilities exist.
Risk management: combine vulnerability management with risk management (identification, assessment, and prioritization of risks)

A head of time finding policies -> good computer hygiene practice & guidelines

If there is a critical vulnerability of a critical system, patch immediately or mitigate immediately
Need to know which assets/systems matter most.

Match the countermeasure vulnerability with the criticality
It has to be good timing
Not enough enterprise really understand the importance … It’s depressing, especially bigger enterprise.
Most enterprise have no clue what asset is most critical to them
Got to do tangible to them: “what happen if they loose A, B, C…”

Disaster recovery: if our network goes down what it means to us?
Availability - Confidentiality -

Noways many policies that requires accountability and reporting.
Top 2 ways that drive policy:
1. To be attacked
2. Having compliance mandate
Such HIPAA: I’m going to have jail time or lose my job if I don’t do this…

CardSystems: went bankrupt at the same year that they got hacked.

Sometime to people say malaise that is the most difficult thing to deal.
If you just do 2 things:
1. Do not click link that you don’t trust
2. Do not open attachment
You’ll eliminate 80% of the problem.
IF YOU CANT TRAIN USERS – SECURITY PRODUCT CANNOT HELP