Login or Register to Ask a Question and Join Our Community

unix and linux commands - unix shell scripting

Reducing Risk Versus Eliminating Risk

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
# 1  
Old 05-29-2008
Reducing Risk Versus Eliminating Risk
IT security professionals are sometimes so passionate about the technical details of a vulnerability that they accidentally lose sight of the benefits of the principles of risk management.
Sometimes the passion of discussing the details of a vulnerability overshadow the cost-benefits of risk reduction when passionate people strive for total risk elimination. For example, consider the example of using an SMS-based based implementation for two-factor authentication (2FA) with one-time password (OTP) combined with a transaction verification message (TVM). There are folks who rightfully argue that 2FA/OTP is vulnerable to a knowledgeable threat agent executing a man-in-the-middle (MITM) attack.
One of the more advanced banks I am familiar with uses SMS-based 2FA/OTP combined with SMS TVMs that detail the individual transactions. The mobile phone number cannot be changed on-line and requires a face-to-face meeting with proper identification, so arguments that an attacker simply logs in and changes the mobile number are without merit. There are folks who might argue that SMS-based 2FA is vulnerable to SIM cloning and mobile phone theft. Others passionately argue that a sophisticated MITM attack can compromise 2FA.
Regardless of the passion of the argument, SMS-based 2FA/OTP/TVM has cost effectively reduced risk for many organizations that depend upon on-line transactions in their business model. Is the risk totally eliminated? No! Given enough sophistication, or certain scenarios, most controls can be defeated. The point of this example is to illustrate the importance of cost-effective risk management and risk reduction principles versus focusing on vulnerabilities from a risk elimination perspective.
Is SMS-based 2FA/OTP/TVA a "perfect solution"?
Of course, the answer is "No."
However, properly implemented cost-effective controls, such as the example in this post, can and do cost-effectively reduce risk for many organizations. Therefore, I often advise IT security professionals nog to permit the passion for risk elimination to cloud the cost-benefits of solid risk management principles.


More...
Login or Register to Ask a Question

Previous Thread | Next Thread

1 More Discussions You Might Find Interesting

1. Solaris

question about shell risk??

Hello, I want to know are there any risk if I do not allow user to have any shell access. (actually, I do not know about Solaris much) Well, what I understand is if I do not assign any shell access to a user, then those user cannot access command line. So, they should not have any risk to... (1 Reply)
Discussion started by: Smith
1 Replies
Login or Register to Ask a Question