The Failure of Information Security 172
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
Failure of security professionals? (Score:5, Insightful)
The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)
The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?
Furhtermore, the list of data losses can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
The story makes some good points, but blames the wrong people.
Re:Failure of security professionals? (Score:5, Insightful)
Security is not just the technical part, educating your users is huge part of it and if users fail to follow advice the security team has failed in this part of their job. You can whine how stupid users are, but that doesn't change reality, it's the security team's responsibility to make them less stupid.
Re:Failure of security professionals? (Score:5, Insightful)
Let's say, as an IS professional, you explain to managment the need to restrict user accounts with Administrator rights, the need to implement an intrusion detection device, the need to eliminate spam, the need to make the network infrastructure fault tolerant, the need to update the antivirus client to something that can detect modern threats, and the need to educate users on how to operate their systems securely. Management denies budgeting these things on the basis that they are not necessary, and would you please increase maximum mailbox size again?
If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.
Re:Failure of security professionals? (Score:2)
Measures against security just like safety are directly proportional to the level of perceived threat.
So in other words it will take a massive breach in their world or to someone they know before the proper measures are taken.
Nobody protects a piggy bank with an armored tank. Fort Knox has an Army base beside it.
Shrinkage is inevitable (Score:3, Insightful)
Re:Shrinkage is inevitable (Score:2)
I think the main difference, lately, is scale. Some of the data "misplacements" at the companies listed above resulted in millions of records of data going to mysterious places. That represents a very large percentage of our population. It is nearly guaranteed that every one of us knows someone whose data was not contained, whether they know about it or not. Sort of like nearly everyone carries Toxoplasmosis, but doesn't know it.
It bothers me that if I have an insurance policy with company A, who outsou
Re:Shrinkage is inevitable (Score:2)
Yep. Plain old cost-benefit analysis. If the cost of preventing the mess is greater than the cost of cleaning it up (recalling products, fixing security, etc), you don't prevent the mess.
The flaw in this equation is that a lot of companies consider the potential harm to themselves, rather than the potential harm to their customers. It is here that they should be held liable. If the law required the offending parties to pay damages to the tune of every red cent stolen, and do the grunt work in restoring th
Re:Shrinkage is inevitable (Score:2)
You don't expect a carpenter to build a house with just a hammer. Don't expect me to protect your data with just a router and a tape backup.
Re:Failure of security professionals? (Score:5, Insightful)
Re:Failure of security professionals? (Score:2)
It's too often the case that titles come with very little power. You would think that security people would be in demand now and that people
Re:Failure of security professionals? (Score:3, Insightful)
This is one of the reasons I refuse to ever work as anything less thant Chief Information Security Officer - I have seen SO many directors, ad
Re:Failure of security professionals? (Score:2)
Agreed - but what I was talking about is not failures of the end users, but failure of the company's management to implement secur
Re:Failure of security professionals? (Score:3, Insightful)
If you consider the users to be morons and know that they will fail to follow security advice than you plan for this. You can implement training to 'un-moron' them to a degree, but it is not wise to consider that the post-training person will do what they have been told all of the time.
*ANYONE* in any support or consultancy role that starts to say to themselves (about the users) "You'd think that they would/wouldn't...." (eg: You'd think that they would know not to login as someone else") is
How about if they refuse to "do as they're told"? (Score:2, Insightful)
So some Top Dog asshat opens a gaping hole into the company's system and there's not a
Re:Failure of security professionals? (Score:2)
- Saying that it's a teacher's responsibility to make certain a child grows up to be a responsible member of society. But, in most of the Western world at least, this is bollocks.
- Saying that it's a parent's responsibility to make certain a child grows up to be a responsible member of society, and that they are directly attributable for the failure. This, at least for me personally, is a Truth. However, there will be plenty of children who will grow into misa
Re:Failure of security professionals? (Score:2)
Security professionals who think the solution is control or even education of users, are the ones who are "stupid.". If your ratio of IT personnel:users is at least 2:1 then maybe, IF you can keep your users from looking for better jobs. A "secure" system must be one where it doesn't matter what the users do, and at the same time still be "usable". Control-freak IT edicts merely motivate users to view IT staff as adversaries and look for convenient workarounds, which often the IT people are completely ob
Re:Failure of security professionals? (Score:2, Insightful)
Your users are so stupid they tryed to plug their new phone into a ethernet port.
This is ignorance, not stupidity. The people who wrote the jokes were too stupid to know the difference.
I like LBJ's line about stupidity:
They couldn't pour piss out of a boot if the instructions were written on the heel."
KFG
Re:Failure of security professionals? (Score:2)
Sure, educated users are an extremely important part of keeping the infrastructure as secure as possible however.
Re:Failure of security professionals? (Score:2)
Yes, so what am I supposed to do? Shoot every Windows-salesman, electrocute all PCs running windows and blow up the Microsoft-campus. I'm pretty sure I could increase security in the long term by doing that... Would give nice headlines too: "Security professionals blow up Microsoft campus".
Re:Failure of security professionals? (Score:3, Interesting)
Exactly. Senior management (aka the "C level positions" like CFO, COO, CEO) just refuse to integrate information assurance, integrity and control into their practices. It is no different than rejecting GAAP and instead using creative accounting ala Worldcom and Enron. Yea, this stuff is hard and complex. But so is the world of finance, and yet we are required to figure it out there.
I work for a firm that consults to smaller financial institutions
Re:Failure of security professionals? (Score:2)
What you need to to is quantify the costs of the last 2 or 3 security breaches and worm/virus infestations, and those of other companies, and also the rules and fines and PR black eyes for exposing private information to the world.
Then compare those costs to to the cost of your proposed Firewall/IDS/IPS systems.
You need to realize that Functionality will always reside
Sounds a bit harsh to me (Score:5, Interesting)
This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
Re:Sounds a bit harsh to me (Score:2)
As opposed to what?! Bad is bad, especially in security, where one breach is all you need. I don't think there's any such thing as "secure to a degree". You're either secure or you're not.
Perhaps you meant that "the consequences are not as bad as they could be". But how much worse do you want it to get? So far the bad guys have been using victims
Re:Sounds a bit harsh to me (Score:2)
Ah.. absolute security exists you believe?
You disqualified yourself from having an in any way relevant opinion about information security if you really believe that.
Re:Sounds a bit harsh to me (Score:2)
You disqualified yourself from having an in any way relevant opinion about information security if you really believe that.
Yes, absolute security can exist. It is more easily attainable the simpler the security system, and the less security systems involved. As they grow more complex and interact with each other, unforeseen consequences are more likely to appear.
But I can see where you come from. It's "not possible" to build a perfectly secure system, so why even tr
Re:Sounds a bit harsh to me (Score:2)
No it can not. No matter what you do, if someone wants your information badly enough and it is somehow worth the effort for them, they can get it. That is why absolute security doesn't really exist (yeah, you can argue it does exist, just is infinitely expensive, but that means that for all practical purposes it does not exist)
It is more easily attainable the simpler the security system, and the less security systems involved. As they grow more complex and interact with each
Re:Sounds a bit harsh to me (Score:2)
Social engineering (to pick but the most glaring of security issues), regardless of policies and procedures, will always prevent perfection.
Re:Sounds a bit harsh to me (Score:2)
Well. It's an extreemely good point.. however, I think the police / criminals analogy works on another level too; at first glance, you'd think it's the criminals that's making the streets unsafe, and not the police. Start looking around a little in the real world though, and you'll find plenty of countries where it's more or less debatable wether the police are solving more problems than they create (Russia, most parts of Africa and some parts of South America)..
Likewise,
A real failure! (Score:5, Insightful)
Techniques like phishing or social engineering, as well as a good dose of stupidity [slashdot.org] and ignorance, can make security technologies useless!
Like writing down on leaflets PINs and passwords or communicating them via email.
Re:A real failure! (Score:2)
You can build the environment as safe as it gets... but if you can't enforce a secure behavior to your user, you can't be 100% secure.
Also, management end doing poor decisions based on the average user skills, like using Windows desktops
The average user must understand their role within the security plan, understand that good security has much more to do with good pratices and habi
Re:A real failure! (Score:2)
Here's how my passwords at work have to be modeled:
1. at least 8 characters.
2. at least on capital
3. at least on numeric
4. at least one symbol
5. the same digit/numeric/symbol cannot be used consecutively
6. pasword must go through 99 iterations to prevent repeats
7. no two passwords, for any system, can be the same
I have a (security through obscurity) method for keeping track of my passwords. How would YOU keep track, while st
Re:A real failure! (Score:2)
fuck.you.69
screw,you,666
bite.me.69
eat,me,666
fuck.off.69
the,sysadmin,is,an,idiot,666
the sysadmin.is.an.idiot.7
After you run out of these, simply write a script to repeatedly change your password, incrementing the number and alternating the period for a comma each time until you reach the.sysadmin.is.an.idiot.99. Then set it back to the first passwo
Re:A real failure! (Score:2)
If you require passwords to have lower case AND uppercase AND numbers AND symbols AND be more than eight characters, then the user is going to write it down.
If you require a different password for every program, service, etc., then the user will write them all down.
If you require changing passwords every six weeks, t
Interesting but... (Score:5, Interesting)
Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.
Re:Interesting but... (Score:2)
What I see in my practice is that even clients who are in the crosshairs of statutes that set infosec standards will ask in effect "what is the *minimum* we have to do to comply with the latter of the law?"
>Another point: What are we comparing this to anyway.
Good point. The current situation is somewhere between no security (Windows machine on the Internet without a f
The Human Factor (Score:5, Insightful)
I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.
Re:The Human Factor (Score:3, Interesting)
Italic Text = Boss
In relation to giving access to a share for large files. [> 200GB]
Ok, give me the names you want to have write access to this share..
"I can't be bothered to give u all the names, just give them all access" - [Hundreds of Users]
You realise that defeats the purpose of having home folders & quota's & that they can delete anything on the drive, and that we have no backup policy or the facilities to back up that drive [> 200 GB]
So...Just Do It
Sound fami
Re:The Human Factor (Score:2)
If you were the consultant they paid to tell them what to do they'd also listen... yes it's idiocy, the consultant knows less about the problems than you do, probably doesn't know more about the solution. But they paid for this advice... and they don't want to look like idiots by paying 40k and then doing nothing with the results.
Unfortunately as part of the bargain th
Errare humanum est. (Score:3, Informative)
You may need to first draft a memo, spelling out the potential security consequences you anticipate, and insist that the boss provide a responding memo that specifically lists them, states that he has considered them, and that you are completely absolved
Re:The Human Factor (Score:2)
Yes, you cannot ignore the user, but you must protect him from himself without his knowing about it. Otherwise you become an adversary as soon as that protection gets in the way of usability.
Another problem is that the jury is still out on the effectiveness of a lot of security measures IT pros have become accustomed to. There are lots of conflicting goals. Passwords that expire often and in so doing cause users to have to write them down and/or invent ways to defeat login timeouts so they can stay alwa
Re:The Human Factor (Score:2)
Yes, I know my comment was superficial and downright obvious, but yet it was something totally missing in TFA. It was just something I wanted to point out, and I wasn't really disagreeing with the article.
I also agree with you that the software industry should take (or be forced to take) more responsibility for the products. Security is not something the consultants or security professionals can patch later as an add-on.
But
Professional Regulation (Score:2, Interesting)
Re:Professional Regulation (Score:2)
Re:Professional Regulation (Score:2)
Very silly.
Having to take a test for actual security people are as well.
The fundamental principals of security aren't that hard. Not hard enough to require a test:
1) Validate all inputs coming from insecure ports. Assume that all data from them is untrustworthy. Don't allow any kind of write access to your data on insecure ports. Don't allow pass
PEBKAC (Score:5, Funny)
Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.
Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?
Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.
Re:PEBKAC (Score:2)
Re:PEBKAC (Score:2)
Either way, doesn't really matter I guess. It doesn't solve the problem, the only good solution I found for this problem is vitriol.
Re:PEBKAC (Score:5, Funny)
Either is fine. The product of stupidity and computers is commutative.
EGBT (Score:2)
According to my contact in R&D at Evil Geniuses for a Better Tomorrow, the ray also works quite well over CAT-5 ethernet, due to the similarity to phone wire. Adapting it to run over 802.11a/b/g/pre-n wireless took more work.
Re:PEBKAC (Score:2)
That way of looking at it is a bad start on communications.
How long would you live in the jungle in Papua New Guinea? The Arctic? South Central LA? Yet you can go through the worst neighborhoods of the Internet unscathed. It's a matter of adaptation and experience.
Your users may adapt better if you find a way to anchor the new knowledge they need for Internet survival onto their existing knowledge. Someone here on Slashdot said he got fewere return visits from spyware-infested people after
My House isn't 100% secure! (Score:4, Insightful)
Re:My House isn't 100% secure! (Score:2)
Re:My House isn't 100% secure! (Score:2)
The problem with Windows machines is not only that new backdoors are found constantly, but that then they can be used to attack other computers. It's like an "insecurity virus", it multiplies. If we use the house analogy, every broken house would become a thieve's HQ.
Having said that, I have to cl
Re:My House isn't 100% secure! (Score:2)
Locks can be completely bypassed though. If you call 911 and tell them you're having a heart attack, if the door is locked when they arrive, they maydeploy a gadget easily found in first responder catalogs that goes into the doorframe horizontally and jacks the frame open wider enough that the bolt from the lock doesn't engage eny more.
Organize a block watch group in your neighborhood.
(This has nothing to do with the point you're making but I love talking about physica
Corporate mentality (Score:5, Interesting)
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.
In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.
And now IT Security professionals are to blame?
What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????
Re:Corporate mentality (Score:2)
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.
Spot on. Corporations who are legally mandated to secure their information systems will spend the mimimum to achieve compliance. Absent this, they'll spend nothing unless it effects the bottom line and shareholder value.
Information security professionals are no more responsible for the consequences of
Re:Corporate mentality (Score:2)
And yet there's annual, mandatory, Security Awareness training. One year I was able to get a perfect score
Re:Corporate mentality (Score:2)
Failing (Score:2, Insightful)
BS
You cannot solve cultural problems with technology:
http://news.bbc.co.uk/2/hi/technology/3639679.stm [bbc.co.uk]
Re:Failing (Score:2)
Now if you are taking about the existence of crime itself as the "cultural problem", then I'm more likly to agree with you, but pyschology is making leaps and bounds in determining why people commit crimes. Think "Gattaca" or "Minority Report" and others where technology solved problem X, and created a much bigger problem Y.
In conc
Hmmm... (Score:3, Insightful)
An Important Note (Score:3, Insightful)
We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.
IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.
That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
Re:An Important Note (Score:3, Insightful)
Re:An Important Note (Score:2)
The other most important thing they did; turned on Windows Update by default. Those 2 decisions were probably the best MS has taken in a long time.
Botnets grow ever larger, numerous (Score:2)
One vector for bot recruitment is browser exploits. An astonishingly high proportion of websites host hostile pages - by design or through being compromised themselves.
Take a look at the real world (Score:2)
In the real world a society has only got to deal with a limited set of criminals. The criminals in that society. Not that many nigerian cat burglars who hop over to europe for a quick breakin (I am not going to touch immigration problems today thank you, it is to hot for a flamewar).
But on the net the society is 6 billion a
A ridiculous article (Score:4, Interesting)
In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!
News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?
Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.
I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.
Re:A ridiculous article (Score:2)
Good point. IMO, all operating systems from now on should implement mandatory virtualization/caging. No HD access outside the program's installed path, no registry (or equivalent) access outside the program's parameters, and using a warning for programs which would do said access.
This would keep us at least protected
Re:A ridiculous article (Score:2)
No, actually a better comparison would be "Judge lets criminal go free on technicality". The problem isn't that the doors aren't locked or the system isn't airtight enough. The problem is that people still want to live and function under the system.
Our judicial system has rights for the accused that result in some criminals going free. Why? So the system is more
This makes no sense (Score:5, Insightful)
The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.
To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.
The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.
Is it really that hard? (Score:4, Interesting)
Seriously, I'm asking. :-)
Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.
They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.
Other than that, there isn't much security software installed. I don't even have an anti-virus.
I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.
The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.
(As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).
So what's the problem? Is it bad habits, or is it really that bad out there?
Phemur
Re:Is it really that hard? (Score:2, Insightful)
You and your wife spent some time preparing and getting some type of defense up AND maintaining it. The great majority of people I deal with think that they can install Windows update once and they will be good. Or my favorite, "I have XP (windows) so I don't know what could have gone wrong." People click where they shouldn't click, go where they shouldn't go and do things without thinking.
The only good analogy t
Re:Is it really that hard? (Score:2, Insightful)
Most security problems do not enter the company through the company firewall/mail gateway. They are *carried* into the building on employees (surprisingly often: managers) laptops. Laptops that are used at home for the kids to play with, browse the web or whatever. Or for the own employees entertainment.
I don't have kids but a while ago I had a friend visit me, together with her 12-year old daughter. We kinda lost track of her whereabouts and found her behind my company laptop (in my
Re:Is it really that hard? (Score:2)
Ideally you go a bit further then that.. any laptop comming onto the network will be isolated in a segment with only that laptop and an authentication server. Before being allowed to use any servives, the laptop has to be checked on mandatory protection software being active, and has to be authenticated. After this it will still be on its own seperate network, away from 'normal' workstations.
Ignorance Is Bliss? (Score:5, Insightful)
To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.
Is this little traffic light on your router blinking 24/7?
Re:Ignorance Is Bliss? (Score:2)
Viruses arent magical genies that pop into your computer; they need a vector for propagation and execution. Having sane firewalling rules, patching operating systems regularly, using safe browsers and internet tools pretty much cover most of the attack vectors. My
Re:Ignorance Is Bliss? (Score:2)
How would he if he had? Anti-virus software is designed to appear successful: when it finds something, it will post big messages to your screen regardless of the real danger. If it doesn't, it won't tell you. Not having seen any warning from the virus scanner doesn't mean your computer is clean, and seeing one doesn't imply there was any real danger.
Re:Ignorance Is Bliss? (Score:2)
Mine has been blinking 24/7 for years, since the first IIS worm. Tcpdump suggests the reason: even if your computer isn't part of a botnet, if you're on a cable modem you can expect to be continually swamped by arp requests as a side effect of other bots' subnet scans.
Re:Ignorance Is Bliss? (Score:2)
What I absolutely do not ever trust is a virus detector running on a potentially compromised system to give accurate results. I also don't particularly trust antivirus software itself, which is why I only run it on disk image copies.
Re:Is it really that hard? (Score:2)
Create a backup of all your data. (In case installs or removals go badly.)
Turn on automatic updates if you haven't already. Install all updates.
Install Zone Alarm.
Install AVG Free and run a complete scan of your system.
Install Spybot and run a complete scan of your system. Also, look under Tools --> System Startup in the menu to see if there is anything "odd" being run at startup. (Requires advanced view mode.)
Install AdA
Re:Is it really that hard? (Score:2)
You don't know what the problem is, but you take a lot of steps to prevent them.
You have a firewall. That protects you already from a lot of worms or other things that are out there.
You don't use IE. You may not be a security expert, but you are still better off that 80% of users out there. A lot of spyware comes from questionable sites with ActiveX content. Too many users click on any old pop up claiming to have a useful tool or wi
Re: (Score:2)
Then change it (Score:2)
Eternal Vigilance (Score:2)
Unfortunately, you must protect your data constantly and train your staff accordingly. One weak link can ruin everything.
because I.T. Security Pro = scapegoat (Score:3, Insightful)
This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.
Not trolling in anyway but . . . (Score:2)
Failure of management (Score:2)
Coincidence? (Score:2)
Security Absurdity.com > Security Absurdity; The Complete, Unquestionable, And Total Failure of - Microsoft Internet Explorer"
Now was this an accident or did the authors deliberately lengthen their article title to make this happen?
salary? (Score:2)
Uh? Since when? Security has been undervalued for years and there are two main reasons why the security of almost every company is shoddy at best: a) not enough budget and b) the human factor (i.e. invent a foolproof system and the world will invent a better fool).
The elephant in the room (Score:5, Insightful)
When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.
In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.
The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?
The real problem... (Score:2, Interesting)
It is affected by all the layers of the 'net
Transport:
Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.
OS Architecture:
Consider that the numbe
Those who do not study history... (Score:2)
No, it wasn't. There are many scholarly books that detail the complicated conditions that brought about the Internet; I suggest you find and read a few. While intertwined with the cold war, and the product of research into how such resiliant communication might be possible, that wasn't the intent of the effort that began ARPAnet and the Internet. Hafner's "Where Wizards
Security Personel suck (Score:2)
"Here here here here here!!! There's a new threat! We have to put this untested patch on our servers immediately!!!"
"Uh, this patch is for Windows. Our servers are running Linux."
"Linux can run Windows apps through em-em-emulation. We have to patch it!"
"Yes, that's true, you can install an
TFA should read TFA he quotes (Score:2)
strike me down . . . (Score:2)
If more IS professionals spent their time actively understanding their clients' business drivers and protecting their interests, rather than submitting links to Slashdot for their Google Ads-linked blogs, mayhaps we'd be in a slightly better position.
We don't need more Steve Gibsons. My two incendiary cents.
M
Social Networking / Security (Score:2, Interesting)
I got a call from "citibank" the other day on my office phone. They said they have a pretty good offer to give me and went ahead and gave me a fantastic offer. Then they asked me my full name (ahem!). And then they asked some more details (innocuous ones) until finally they asked my credit card number. That's exactly when I hung up. I know people who would happily give out this information without even realising what's happening!
There are
When will things will change (Score:2)
Re:Missing the Point (Score:2)
Well, I know how to build a secure system. For a bunch of money, I'll tell you. We've know for years how to do security right, but when it is done right, it's a hassle, and not percived as being worth it.
Re:Missing the Point (Score:2)
Not even close. Given the resources, I could break into such a system from some distance away.
You forgot to put the computer in a Faraday cage, with armed Marine guards outside. Make sure the Faraday cage is in a room near the center of a large, secure building. Encrypt all communications with one time pad onto physical media, and make sure the other end of the communications channel is just as secu
Re:I blame the companies and management (Score:2)
This will never change, because the burning building is a rarity, and there are laws to keep you from having 12 unsupervised infants in the same room, thus when it happens, it's news. The millions of buildings that don't burn down aren't news.
If you want real change in the industry, do like the Japanese, and make the CIO ge