What's On The Horizon

Along with Kees Leune, the ISO at Adelphi University, I will be presenting, "When To Declare An Information Security Incident and How To Respond Once You Do" at the EDUCAUSE Security Professionals Conference April 15-17 in St. Louis. Details can be found here:
http://www.educause.edu/events/security-professionals-conference

My most recent contributions to the information security community are presentations on the philosophy of security and on information security incident response at the Idaho Fraud & High Tech Investigation Conference, November 2012.

Sunday, February 7, 2010

Passwords

Everybody knows that passwords are weak authentication. But sometimes it's all we have. A while back an irate prof. accused me of being inflexible (imagine--an info sec guy inflexible?). The prof. felt he should not have to change his password. He made his argument claiming he didn't have access to any sensitive information. I asked him if he thought his banking information and social security number were sensitive. He agreed that they were. I pointed out that his univ. ID and password gave him access to his banking information and social security number in our ERP (not to mention student records). He came back saying his bank doesn't make him change his password or PIN. What could I say other than telling him I care more about his private information than his bank does?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)