“When we select vendors, we tell them that we will not issue a password or a token or a key, all of these are examples of static credentials,” he said. “But we also look at things realistically, so if there’s a product we need that requires passwords, we need passwords to be changed regularly. For us, the use of static information has become the exception, not the rule. “
2. Compulsory scheduled entrance examination
Although it is not a specific prevention tool, the systematic mandatory pen test is identified by some as an outdated strategy.
Attila Torok, CISO at the technology company GoTo, firstly, believes that those penetration tests performed once or twice a year to satisfy regulatory or vendor requirements do not effectively assess the organization’s true security posture. Instead, he says they only capture a snapshot of the environment’s security at one point in time.
Source link