Everyone wants there to be simple answers in security, but sometimes there are no simple answers.
-
-
Replying to @taviso @haroonmeer
On the flip side, sometimes there are really simple answers that can address low hanging fruit. They just don’t feel as sexy. Example the comes to mind, 2FA.
3 replies 0 retweets 4 likes -
Replying to @justinmberman @haroonmeer
Even then, it's not that simple. For example, SMS-2FA is basically worthless. U2F on the other hand, while not a panacea, is fantastic if implemented correctly.
1 reply 0 retweets 3 likes -
Replying to @taviso @haroonmeer
I agree that you still have to do technical diligence in order to select a control, but U2F is pretty straightforward now? Either way, just implementing SOME 2FA meaningfully reduces a lot of risks.
1 reply 0 retweets 0 likes -
Replying to @justinmberman @haroonmeer
I think we're on the same page about U2F, but if by "SOME 2FA" you mean "ANY 2FA", then I don't think we agree. Would you argue that SMS-2FA is better than nothing? If so, that's where we differ. I think it's at best, equal to nothing.
1 reply 0 retweets 1 like -
Replying to @taviso @haroonmeer
Does the adversary set matter here? If you as a small company who models their adversaries as mostly using phishing to grab creds to Corp saas systems, they probably aren’t going to invest to be able to bypass SMS-2FA?
1 reply 0 retweets 0 likes -
Replying to @justinmberman @haroonmeer
Yes, I agree that a rational attacker will calculate the cost of updating his PHP vs the expected increase in victim yield and *could* find it's not worth it. That's also true of making users type "banana" into a form field, which adds about as much security IMO
1 reply 0 retweets 1 like
We've already established that the attacker has the capability of stealing passwords, so any solution that involves giving the user more passwords is fundamentally flawed imo.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.