top | item 33480936

(no title)

iwasanewt | 3 years ago

> this isn’t technologically useful.

> REASONS:

> 1. Over 80% of breaches happen because of KNOWN but unfixed vulnerabilities.

This reason only makes sense to me if I assume that all KNOWN vulnerabilities are (and remain) UNFIXED. Assuming otherwise doesn't make sense because I can't tell how many attacks the KNOWN and FIXED vulnerabilities prevented.

> Most attacks lead with phishing and account takeovers not software vulns.

This might be true, but you seem to suggest that we can only concentrate on preventing one type of attack at a time, and therefore we should only pick defensive strategies for the most common attack,

discuss

jollofricepeas|3 years ago

To clarify, I’m saying governments and regulatory bodies should improve mandates for fixing critical issues with the highest risk first (ie. Remediation).

It’s the same reason state govs in the US mandate car insurance or bonds for drivers.

Companies like people have limited resources, time and money so they should focus on where the risk lies.

Risk being impact multiplied by likelihood.

If you have to choose, which do you do first?

- Bump your library versions for all your apps

- Implement MFA for your customers