Comment Re:How can this be? (Score 1) 613
Stupid users? I would rather say stupid designers who impose stupid constraints on John Doe...
Submission + - Security Isn't Just Avoiding Microsoft
Jay Singala writes: "Article: Security Isn't Just Avoiding Microsoft
http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=291226&source=rss_ news50
Security Isn't Just Avoiding Microsoft
Ben Rothke
May 07, 2007 (Computerworld) We've all heard IT professionals imagine how secure their networks would be if they just didn't have to use any Microsoft products.
I've had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and how everything would be better in a Microsoft-free world. Tony Bove wrote a whole book with that theme, Just Say No to Microsoft, and plenty of blogs have taken up the cry.
It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system.
Networks in a world in which Apple had won the operating systems wars would still be insecure. What's that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That's true, but it's a consequence of the minuscule market penetration of Mac OS. If the Mac had enjoyed a market share of upwards of 80% for the past couple of decades, it would have been the focus of every hacker and script kiddie on the planet. And you might be lamenting the minuscule market share of that scrappy operating system vendor in Redmond, Wash.
If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time. By all means, we need to run the safest operating system we can, fortify our networks and police the whole thing. But once we've done all that, we're left with one unalterable fact: Users will still make errors galore. Training can help. But for a bit of perspective, consider commercial air transportation. The hardware is about as safe as possible, and pilots are trained as thoroughly as surgeons. But accidents happen, and they're usually the result of pilot error.
User errors have long been the bane of security. In a sense, true security requires a paranoia honed to a fanatical edge, but sometimes even fanaticism isn't enough. After all, no one has surpassed the Nazis when it comes to fanatical paranoia. Yet even the well-trained German soldiers of World War II broke a fundamental rule of cryptography and reused the same keys. That mistake might be the only reason this article wasn't written in German.
So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out. Set minimum security training and awareness requirements that all workers must meet — even janitors and others who have no system access. Step up the requirements for those who have access to corporate information systems (most workers would fall into this category), and establish exhaustive requirements for employees in computer-related positions of trust, such as security staff and systems programmers.
Your first step, if you haven't already done it, is to write down your information security policies. You can't design an effective training and awareness program without them.
Once you've set up effective training, you have to maintain it. Keep it consistent, and make sure users are up to date. It won't be easy. In fact, it's a lot easier to just blame Microsoft. But don't feel that all that kvetching didn't help. It took lots of people kvetching loudly for many years for Microsoft to realize that it had to do more, and it has made great strides since 2002, when it announced its Trustworthy Computing initiative.
Now it's your turn to do something similar within your own organization.
Ben Rothke, CISSP, is a senior security consultant at International Network Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006)."
http://www.computerworld.com/action/article.do?co
Security Isn't Just Avoiding Microsoft
Ben Rothke
May 07, 2007 (Computerworld) We've all heard IT professionals imagine how secure their networks would be if they just didn't have to use any Microsoft products.
I've had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and how everything would be better in a Microsoft-free world. Tony Bove wrote a whole book with that theme, Just Say No to Microsoft, and plenty of blogs have taken up the cry.
It's time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn't be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system.
Networks in a world in which Apple had won the operating systems wars would still be insecure. What's that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That's true, but it's a consequence of the minuscule market penetration of Mac OS. If the Mac had enjoyed a market share of upwards of 80% for the past couple of decades, it would have been the focus of every hacker and script kiddie on the planet. And you might be lamenting the minuscule market share of that scrappy operating system vendor in Redmond, Wash.
If you put computers on a network and open that network to the outside world via the Internet, you're going to have security problems, regardless of whether you're running Windows, Mac OS, Linux or an operating system you created in your spare time. By all means, we need to run the safest operating system we can, fortify our networks and police the whole thing. But once we've done all that, we're left with one unalterable fact: Users will still make errors galore. Training can help. But for a bit of perspective, consider commercial air transportation. The hardware is about as safe as possible, and pilots are trained as thoroughly as surgeons. But accidents happen, and they're usually the result of pilot error.
User errors have long been the bane of security. In a sense, true security requires a paranoia honed to a fanatical edge, but sometimes even fanaticism isn't enough. After all, no one has surpassed the Nazis when it comes to fanatical paranoia. Yet even the well-trained German soldiers of World War II broke a fundamental rule of cryptography and reused the same keys. That mistake might be the only reason this article wasn't written in German.
So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out. Set minimum security training and awareness requirements that all workers must meet — even janitors and others who have no system access. Step up the requirements for those who have access to corporate information systems (most workers would fall into this category), and establish exhaustive requirements for employees in computer-related positions of trust, such as security staff and systems programmers.
Your first step, if you haven't already done it, is to write down your information security policies. You can't design an effective training and awareness program without them.
Once you've set up effective training, you have to maintain it. Keep it consistent, and make sure users are up to date. It won't be easy. In fact, it's a lot easier to just blame Microsoft. But don't feel that all that kvetching didn't help. It took lots of people kvetching loudly for many years for Microsoft to realize that it had to do more, and it has made great strides since 2002, when it announced its Trustworthy Computing initiative.
Now it's your turn to do something similar within your own organization.
Ben Rothke, CISSP, is a senior security consultant at International Network Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006)."
Boredom Drives Open-Source Developers? 199
Henry McClyde writes "Chris Anderson of The Long Tail posted an article yesterday in which he claims that "spare cycles" — or boredom and the tons of people who wish they had something better to do — is what drives Web 2.0.... and the open source development community. While Web 2.0 in general is driven by "the long tail," NeoSmart seems to have taken up issue with Anderson's claims that open source developers (and other freeware programmers in general) do what they do because they're bored and have nothing better to spend their time on. Same with Wikipedia contributors, and bloggers in general."
Slashdot Top Deals
"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982
