Slashdot Mirror
A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own internet access?
Restricting the internet to a single machine (or battery of machines) that only sent and received external email and forwarded it on to the internal network seems like the absolute maximum internet connection necessary for most businesses.
Surely employees don't have to surf the web at work?
I have been pwned because my
This is really a very big problem plagueing the industry. Some one has to do something, and it's good to see people starting to notice this. Let's hope something worthwhile comes out of this.
"In questions of science the authority of a thousand is not worth the humble reasoning of a single individual."
Corporations announce they should be responsible for securing their own networks.
(as opposed to relying on magical network security elves that secure your network while you sleep and provide freshly made footware in the morning)
Hoops?
So they will finally migrate to open source technology?
German Gov ITsecurity Agency BSI published a nice migration guide. I would like to see that on the other side of the Atlantic.
So the people that use the software should assume liability for not patching holes but the manufacture assumes no responsibility for leaving security holes in their product to begin with? This sound very backwards to me.
Yea, but how will we post on slashdot then?
Think about the slashdot. Think!
Let business Darwinism takes its course: those that implement effective countermeasures survive and thrive in a competitive marketplace, those that don't...
Exactly -- in my office, everyone has access to the internet, but really only need access to our intranet. It causes more problems than it solves - viruses, users downloading strange apps, etc...
...we are from the government - we are here to help...
When you make demands like this, the next thing you know, you'll try to make them directly responsible for their corporate financial statements.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
That's not to say that IT security and virii aren't devastating. Just that putting clueless buzzword-directive-issuers in charge, instead of those who understand the implications and directly deal with customers, doesn't solve anything.
It's hard enough to make them take responsibility for things like overstating earnings and embezzlement. How exactly are they going to be forced to be accountable for this?
Where's my lobbyist? Right here.
To read slashdot? Unacceptable!
Move along /., nothing new to see here...
...we are from the government - we are here to help...
I know of one large government agency that recently had to turn off all linux machines. Why? There was no anti-virus software installed on them, and the "security czar" required such software on all servers.
If worms, viruses and other attacks can alter or remove financial accounting data, then the execs currently are accountable thanks to Sarbanes Oxley 404. This legislation creates work like Y2k did. If you haven't been impacted by it at your job yet, start reading up now.
This is typical. Focus on just one part of a greater problem. The issue is security overall. Your computers can have the most advanced security possible, but it can become useless with a few misplaced words from one of thousands of employees, or a document that missed an appointment with the shredder. When I worked in tech support, I can't count the number of times I found usernames and passwords in plain view on post-it notes...the "security conscious" employees would put them under the keyboard. Outside vendors could see any of this at will.
The internal network can also be destroyed by a simple click on an email attachment. The real issue here is educating people about computers, and expecting a certain level of competency. To many employees are using something they don't understand; it would be like giving company cars to people who don't know how to remove the keys from the ignition and lock the doors.
...
> Surely employees don't have to surf the web at work?
Well, they might as well, but perhaps only through a proxy. That way, the PCs would not need to be exposed directly to the internet, but they would still have limited access to http/other resources. The rest could be done over a company network.
With IPv4 addresses becoming more scarce, it's probably worthwhile to avoid giving each employee their own address anyway, since the proxy would be able to provide sufficient identification of employees to web servers (I'm sure there's some HTTP header like Proxy-Username).
For the last 8 years, I would not have been able to do any of the work I've been paid to do if I didn't have timely access to the web. It's to the point that I now wonder how I was able to have any work done 15-25 year ago!!! Granted, not all work **REQUIRES** it, but if you start discriminating between functions at work, you will get more disgruntling than good work done; it has come to the point that web access is nothing less than telephone access.
However, granting internet access to employees doesn't mean that the barest minimum security and/or monitoring should not be deployed. In fact, it would be quite foolish to grant unrestricted/unmonitored internet access to employees.
Many research materials for the scientific industry rely on unfettered internet access. The heads of management want to see results and they don't want to pay to maintain internal libraries. The IT department doesn't want to establish tunnels and VPNs for every available online resource and database. While more secure it would bring availability to a grinding halt.
The management heads who like to crack the whip need to make a choice: if they take sadistic joy in cracking the whip then they're either going to have to provide the access (and take responsibility for the contingencies) or they're going to have to lay off the whip. The third option is to continue doing what they're doing: crack the whip as hard as possible and find a scapegoat when the bleeding gets too bad. It's worked for several decades but we're fast approaching a critical mass of disgruntled and blacklisted talent.
With the social system in America heading freight train like towards mediocrity, however, it's no surprise that corporations take no responsibility for the good talent that they use up and throw away like so many expendable human batteries. The bottom line is the dollar sign. For the people closest to the top who continue to earn profit there's no need to take responsibility for the lives they've ruined.
+++ATHZ
Perhaps some level of legislation would be good. How about a law(only for US) that would outlaw an open relay, requiring each mail server to be configured correctly. Or perhaps something that says an ISP like AOL or Comcast should not permit port 25 traffic beyond its router unless it comes from thier own SMTP server.
I realize lots of spam comes from overseas, but a lot also comes from aol.com,rr.com,comcast.net,etc.
Or we could just make commercial software vendors responsible for the quality of thier software.
In other words, Homeland security and the FBI blew all their money on booze, cigarettes, and hookers, so now someone else must pay to take care of problems like internet insecurity before they become problems.
But is it really that simple? Can all security threats be stopped before they start, or should the government be held accountable for part of it? Seems to me like they are trying to lay some responsibility on the big corporations (not a horribly bad thing) but the reasons behind this are not good. I think their attention is focused in the wrong places. Their attitude is that creating colored alert systems and making duct tape warnings is of more importance than securing the global internet infrastructure.
I guess keeping people focused on the T word (Terrorism)is key to keeping them from realizing that the executive branch really sucks right now.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I think it's great that attention is being drawn to security. I think that there should be triple damages for a company releasing data defined private or against any agreement you had pre-arranged. Yet how are you going to protect your data when you outsource your transaction to some place that doesn't live by these rules? You can't. Except recognize that certain corporation outsource and use this information for your decision on who to use. Evaluate it and if you feel that this type outsourcing isn't protecting your data and interests than don't use said corporation.
Even if it's not actually essential, net access is now viewed as essential by enough workers that taking it away will hurt morale.
1. Allow insecure software to become entrenched with monopoly power
2. Watch while a global industry in wormware develops to take advantage of this
3. Blame the users for not preventing it.
Excellent strategy, which will help enormously. While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault."
Why... why are companies allowed to sell software that has known defects? Surely it's technically possible to ensure that every installation of Windows XP leaves the shop with all necessary patches?
Ceci n'est pas une signature
The problem solution isn't the lack of CEO involvement, it's the lack of clout technology officers have. People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't.
This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are fools.
One of the main flaws to all this: they used representatives from technology companies. Did they never consider talking to security experts? Despite recent changes, the American higher education system has some of the best research institutes in the world, and amazingly enough, there are experts at those institutes! Even better, those experts are relatively unbiased! Oh, the possibilities!
Strangely enough, that's not the problem. the problem is that there are too many governmental enablers. The government gives all sorts of help to companies who suffer losses from cybersecurity, so they have no motivation to secure themselves. What idiocy.
I guess that, in general, I would have to say most of these problems are caused by governmental stupidity and corporate vileness, but there is still hope for the future, as there are proposals to force businesses to have regular cyber-security audits, as well as other measures.
Right now the current level of technology in commercial OS systems (I mean Linux/BSD/etc. too) is not enough to stop worms before they can spread.
You can (try) to patch all your services and stay ahead of vulnerabilities, but in a very large organization unpatched machines can fall through the cracks, and in a small organization there may not be enough skilled staff to keep everything patched.
User edjimukation (sic) is all well and good, but unfortunately there will always be a population of Darl's who will willfully ignore best practices and try to do stupid things with viruses and whatnot.
IMHO there are solutions to at least some of the more stupid problems with security. I think the best ones are through least privilege enforcement with Mandatory Access Controls (see SELinux as one very good commercially available example, I also like Domain & Type Enforcement for Linux too!) With MAC systems root is no longer a god, and you have a much richer ability to limit what user's can do with things like email attachments. Worms can also be contained much better since you define a policy of what a server is supposed to do instead of trying to pattern match every possible type of malware (an impossible job in the long run).
So why is this rambling post not entirely OT? Well a bigger organizatio like a corporation will have a greater incentive and a greater ability to start experimenting with MAC systems that are both secure and usable in an office environment. Bigger companies have more resources to work with software vendors to iron out bugs and kinks in the system, and then the refined products can start to filter down to consumer grade products, where security is usually almost non-existant. It is a slow process, but we desparately need better methods and technologies than the standard issue patch & pray employed in today's networks.
AntiFA: An abbreviation for Anti First Amendment.
How then will we pore through picture after picture of celebrity assess then?
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
A relative of mine works for Oxford Health Insurance, where they have to 'apply for internet access'. This kind of scrutiny hurts company morale, espcially if you are not one of the illuminati whose packets are permitted to pass.
Interent access at a computer today is something that is taken for granted, it is assumed when you sit at a computer that you will be able to get online, especially at your office. I liken restricting internet access to the removal of Solitaire from office PCs. Sure, your employees shouldn't be playing solitaire when they should be working, but what's so wrong about getting in a game or two on your lunch break, if its what you enjoy?
As far as security goes, that's a problem for your IT crew. IT departments are designed to support and educate users, but with the increasing amount of elitism among IT workers, their strategy seems to be getting rid of the users, so they don't have to deal with them, i.e. dropping internet access. If your IT department doesn't know how to keep a network secure, then guess what guys? It's time to learn Hindi.
This is gonna land me in deep water but it's definetly a two way affair -
if the CEO's spend the required money hiring people to take on the responsibility of securing a network then why is it the ceo's fault?
If the people being hired are not competant, but played the 'i know what im doing' role then it is still their fault.
The only time I see it as acceptable that the ceo gets the blame is when the ceo him/herself directly contributes to the lack of security or employee laxness.
The article, imho, is hinting that if a company was to go down due to security problems then it's the ceo who gets the blame if, and when, they are led to believe their networks are (or were in this case) secure/d by an (incompetent) tech-support guy.
I say it truthfully AND before I become flamebait: I have the utmost confidence for *most* IT people, it's usually the users who contribute to the problem not IT departments, but I truly do, in this case, feel sorry for the CEO (with their huge paychecks and massive perks) when they get the blame for something that they did honestly have a go at fixing/preventing.
Worms/Virii are designed to be destructive and disruptive and there is little to no way that most users will ever learn that they need to be more cautious about security without having their credit card details exposed by a black-hat or their personal PC brought to a halt by the worlds least advanced virus - becausethe user hadn't patched their virus scanner.
It's a case of once bitten twice afraid - and if it's kept that way by the community, as long as it doesn't affect me, then I'm all for it - I just hate cleaning up after one has hit.
New rule for virii - release a strain to the public and release a quick-repair tool at the same time to slashdot!
Chief executives and their boards should be responsible for securing their networks. Who would disagree with that?
The real question is should they be responsible to others if holes in their security causes damage to other companies or individuals networks?
To that question I would have to diagree. There are so many security holes in the software that have yet to be found and patches created, the only way a company could truly be sure their networks are secure would be to either use open source, write their own system software or prevent access to the internet.
Surely employees don't have to surf the web at work?
No, they don't need to surf at work. However, being a BOFH and cutting off internet access to the employees doesn't do much for employee morale.
Sooner or later all your good employees will leave, and you'll be stuck with disgruntled employees who don't have the skills to get another job (and are underqualified for the one they have), or recent grads who have no other choice but will leave as fast as they can. You'll lose money in training and recruiting costs.
Draconian measures might save money in the short run, but keeping employees happy does much more for employee retention.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
What definition of 'absolutely necessary' are we using here?
:) ).
Quick anecdote: I used to work for a large company that made web authoring tools. At some point we had to ask ourselves whether we still wanted NFR versions of our rather expensive software available to every employee on the intranet. Was it absolutely necessary for the receptionist to install an HTML editing environment? Creating HTML was not part of his job.
Our decision was that if our receptionist takes an interest in our own products and wants to play with them, that's a Good Thing[tm Martha Stewart] and should be encouraged. It'll make him more interested in the company and a more committed employee; we might find out that he's actually a decent designer and can contribute more to the company in our web design group. Did the NFR products get 'pilfered' every once in a while? Sure. But I'll bet you that 95%+ of the pilfering that was going on with them was to people who wouldn't have purchased them anyway -- but now were using them, and talking about them (mostly positively, we hoped
I work now for a company that doesn't allow general internet access for 90%+ of its employees. I think disallowing general internet access is symptomatic of a certain sort of relationship the company wishes to maintain with its employees and is indicative of how it thinks of them -- and it's not indicative of a particularly high level of trust in, or care for, the employees.
Left to my own devices, I'd rather put in a robust anti-virus and anti-malicious-code system coupled with employee education and discipline for people who break the minimal rules and then let the employees loose. Will some of them surf during work hours and damage their productivity? Indubitably. I still think that the overall benefit in employee morale and easy access to information is going to be worth the occasional loss from someone who can't control his surfing.
I have always believed that the company creating the software should be held responsible for security holes, bad code, backdoors, etc.,. in their own damn code.
Given a way to easily update applications (which virtually every useful and enterprise program has in some form) the only way the end-user should be held responsible if is they haven't stayed on top of these updates.
I can see gray areas where exploits are unknown to the software creators, however once made aware either via direct communications or one of the many vuln/exploit websites they should be required to fix the vunerability in a timely manner.
What really gets me is that MS for example clearly knows that probably 1/2 of the Windows installs are pirated versions and they purposefully disallow the Windows Update feature on these copies. I'm willing to bet a good portion if not most of the trojaned and wormed zombie boxes out there are of this class. Perhaps if MS just sucked it up and turned on Windows Update by DEFAULT and allowed pirated versions to download AT LEAST the critical security updates the Internet would indeed be a much happier place.
BTW, I'm a predominantly Windows user most of the time, so don't just file this under 'hating'.
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
... buy out those that do.
<insert witty linux comment here>
E.g. coke-net. (Coca-Cola was afraid to have even a web site on the internet for security reasons, but eventually figured out there were probably benefits, too -- like, oh, say, advertising...)
Seriously, yes, corporations *do* need to take better care of their systems, but I'd hazard a from-the-hip guess that the biggest problem these days as far as worm spreading is concerned is home machines and those in lesser "net developed" countries. In other words, ISP's need to become a little more responsible, and go about figuring out how/who/when to block certain ports from leaving their domain (like, say, 25).
I talk about stuff.
> If your IT department doesn't know how to kep a network secure....
How can they keep a network secure if their own users are working against them by installing crap on their PCs like Kazaa or whatever else they think looks fun? They can't really protect a network if the people inside the network are the problem.
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own telephone?
Restricting telephone calls to a single secretary (or secretarial pool) that only make and receive calls and forwarded messages on to the internal workforce seems like the absolute maximum telephone usage necessary for most businesses.
Surely employees don't have to make calls (especially personal) while at work?
if executives thesedays where accountable for anything, seems if you wear a suit and grovel enough you can more or less do whatever you want !, just read the newspaper for examples
Proxy -- one word to describe the solution. Even though your work obviously does not use the internet, most do. To completely shut off internet access is to take away all of the computers and tell us to code with typewriters and to do systems administration by standing in front of the servers. A network that is set up with a proxy server will have no problems with employees downloading stuff they shouldn't and will keep out most of the viruses. Many antivirus makers today allow you to install on an e-mail server (where most of today's come from) and scan e-mails! You don't seem to mind that e-mail get's through, but that's the worst of it all!
NIST, NIACAP, DITSCAP, ITSCAP, DCID, LMNOPCAP ..
UGH!!
Heck, the government needs look in house and first. They can't even establish a true "STANDARD" security process for the entire federal government, intel community, and defense department. Everyone wants to work off their own sheet of music.
At least a CEO/CIO has to report to the trustees or shareholders if something goes wrong.
Yes , and what's up with all those red swingline staplers, Let's take them away too.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
You are a friend of Wesley Crusher!
I briefly had a job without internet access. I signed up to every news site email list with alerts I could find.
Actually they should be allowed to surf. Then you block executables from entering the company's system. Then you salt the network with executable files of your own and fire the people who click them.
Eventually the stupid and weak minded are gone and your company is better for it.
From their Symbiot.NET page:
In other words, this could be a method for monitoring a network's "health," either your own or someone else's.This kind of system, whether implemented by Symbiot or someone else, and if done correctly, could provide a yardstick by which everyone could be measured. Even a partially flawed "risk metric" may be better than none, if the metric was applied systematically.
Surely employees don't have to make calls (especially personal) while at work?
Sure, and every computer system works magically out of the box? What if that "enroll in a health care plan here" site doesn't work correctly? What if I need tech support to come down and install a local administrator account on my machine? My staff assisstant isn't nessecairly the person that I would want to have to talk directly to our help desk on my behalf.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
I have heard that HIPPA allows companies to avoid liability for data that goes to off-shore companies.. Anyone know if that is true ?
What is security like at some of these companies that operate it countries with little\no law enforcement.
(as opposed to relying on magical network security elves that secure your network while you sleep and provide freshly made footware in the morning)
... and a pony.
-kgj
-kgj
This paper addresses some of the issues you mentioned.
ObDisclaimer: I am one of the authors (though no longer at CERT) and express some opinions in the paper re: patching schedules and general due care in this area.
I want to drag this out as long as possible. Bring me my protractor.
Nope, I NEVER need to check the USPTO database at work. Nor do I ever need to go check the documentation on programs/languages I use to do my job, especially when cutbacks have all but done away with the ability to order dead-tree documentation. And of course I don't need to keep current with technology and technology news.
Surely employees don't have to surf the web at work?
I am an embedded systems firmware engineer at a small (~20 employees) comapny. In addition, I manage the network here, maintain the workstations and purchase/setup any new computers required. I am going to state unequivocally that I simply could not do my job(s) without Internet access.
Whether it is finding, downloading and installing the latest drivers for a new or existing system, researching new microcontrollers for new product development, chasing descriptions of the latest viruses I need to be aware of, etc, etc, there is simply no way I can do without Internet access.
On a more mundane level: the receptionist here uses dictionary.com constantly while she composes mailings and newsletters for our company; purchasing now does most of the ordering on-line with parts suppliers and has a list of suppliers that are only available with Web access for shortages of critical components; and the machinist, fer chrissakes, recently used a system on the manufacturing floor to look up a particularly challenging process to make a spring for a product that absolutely had to ship the next day.
I am not even going to mention e-mail: it has grown into a huge resource for dealing with customers and suppliers, second only to the telephone.
In short, I feel that cutting off Internet access to any person in the company that uses the computer on a daily basis (and some, like the machinist I mentioned above, that don't use it every day) is equivalent to shooting yourself in the head in the business sense. Let me also mention that our firewall is very tight, we simply do NOT use IE or outlook/exchange server beacuse of security issues and I keep all the employees informed on what is currently making the rounds in the way of spam-mail/viruses/adware/spyware. We have not had ANY major infections in the last 3 years.
If you don't trust your employees to use the resources wisely, then you need new employees, NOT restricted Internet access!
Chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks...
This is flat out impossible to achieve without Free and/or Open Source Software. For someone to assume responsibility for their software, they need to be able to proactively deal with defects.
How can this be done with closed-source software? It can't. Closed-source software (CSS) vendors assume no liability and no responsibility for the worthiness of their product. If I built a building and the building collapsed during an earthquake, the first question is "why did this happen?". The answer is to go back to the building's blueprints and inspect the design.
Only F/OSS accomodates this. Freedom and Responsibility are directly linked. If someone is responsible for something, they must have the freedom to be able to act upon it. There is no freedom with CSS.
Ruby on Rails Screencast
I wonder if it would be possible for a big corporation to try to fight their way through the legal system and make Microsoft pay for damages caused by their bad software.
I mean, if I can do this with any product, why not software? Why should *I* have to spent thousands on something that is not my fault, not even my main business.
If some big corp could fight and win, this would make a greate precedent, and might make them start really worrying about security.
They probably couldn't find every possible flaw and patch it before it leaves Redmond, not due to technical reasons, but because at some point they must keep income flowing in (please no flames here).
A 100% bugless windows would probably take a very long time (increase cost, increased consumer price), this is not necessarily a bad thing, but may drive the price of the Windows computer out of the average joe's hands (which seems to be contra Microsofts business strategy)
While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault.
I'm all for this, there are still a TON of people who don't even update their virus definitions, most likely because the AV software usually comes pre-installed and (in the case of Norton) definition renewals expire after a time. (though you used to be able to get around this by reinstalling).
Further, Firewall? what's that - the thing that protects you from engine heat? Something in your house that protects fire from spreading quickly.
The Internet is still relatively new to most people, and IMO when you sign up with an ISP, THEY should warn you about security threats on the NET. After all, no software vendor is providing net access. While the ISP is.
Further, an OS should ship with ALL NETWORKING DISABLED, how many people require even 1/3 of the features on an OS.
Should corporate officers take responsability for security, including the cyber variety? Of course! One wonders about the logistics for measuring their success, but that's not my point.
/. It doesn't change the real issue of why people, even those who know better, shortcut security principles every day.
The real day-to-day security problem is not in the CEO's office, at least not exclusively. We've all seen or had passwords on monitors, and under keyboards. We've all seen or used a birthday, family member, or pet as a "secure" password. We've all telneted when we should have SSH'ed, or HTTP'ed when we should have HTTPS'ed.
We're the same folks who've held the security door open for someone we didn't actually recognize. Changing the context to "cyber" just gets the article posted on
To be "secure", companies need to set a priority for security, and enforce policies with sanctions. In fairness, they should also provide people with tools for success, and for computing that means security hardware, security software and near constant security training.
Since doing it "right" costs money, companies will have to balance corporate security against their corporate economy. If it costs more to be "secure" than your assets are worth, then why bother?
Since when do CEO's take any responsibility for their companies?
But really, though, if there is a competant network admin, 99% of these problems will be taken care of.
Whenever you hear the term "cybersecurity," don't read the article! It's gov't-related, or some other BS. No non-BS sources use it.
Must-not-watch TV!
So the U.S. Government points the fingers at all the corperations and says:
'Because everyone here uses Microsoft and Microsoft can't get their shit straight, we're gonna have everyone here give pay out more money to Microsoft'
*DrugCheese rants*
Motivations to change need to be more than simply regulatory - they need to be financial.
Companies and users who abuse their customers privacy should be responsible for their abuses.
Companies and developers (open source, too) should take responsibility for their work, and (within the bounds of 'reasonable due dilligence') be held responsible for their failures and defects.
What those bounds of "reasonable due dilligence" are should be discovered in the traditional ways - industry best practices, regulatory base lines, and professional society codes of conduct.
There should be a tiered collection of mechanisms that consumers can rely on for assurance of the quality and integrity of what they're getting - from "anything goes" to licensed and bonded developers to insurance-backed warrantees of performance.
It's time for software to grow up and join the ranks of mature industries.
A craft-guild mentality will hold us all back.
Everyone these days are concerned about security. No more are thoughts on speed, or throughput, but "how secure can we make this" and "is there any way we can even stop brute force attacks on our encryption"
is IPv4 really that insecure? Why all the hype about IPv6 and its' insecure nature (if that really is the case).
More addressing, and as a quick answer it just makes more sense breaking the address up among subnets, etc. What more do we need for security? You can only get so secure before it's just insane.
In meat world, when a "patch" is needed, a recall of a consumer product, the physical object needs to go back to the shop, then gets returned with the fix in place. with software, even when it is provided on disk, this doesn't happen, the old physical media, the CD, is allowed to stay around.
I think if it's a tangible PROFIT they want, then it's the companies duty to provide a patched TANGIBLE product. They should be required to provide a PATCHED install CD, not just skate on saying "there's a downloadable patch available".
Example in meatworld. Lst year I found out two of my small cordless drills were recalled. The company paid to mail the old drills back to them, and they sent me new drills "patched"(they were basically brand new drills of a newer "release" style), they DIDN'T just send me via snail mail or email a set of instructions on how to "fix" the drills. I WASN'T required to show where I had bought the drills,nor if I had a "license to drill with them" or anything of the sort. I shipped the b0rked drills off to them on their nickle, I got patched drills back.
I say apply the SAME rules to software on CD's that are produced and sold for a tangible profit. if they want real money, they need to provide real normal warranties. Make them be forced to take your old CD back at their expense, and have to send you a new CD with the patches, etc. Lather rinse repeat until they bingo it's a much better idea to do it *right* in the first place.
IF they were forced by law to provide a replacement of their indistry-alleged "tangible" product that they tangibly "profit" from, it would cost them and wake them up. It would cause one of those "paradigm" shifts in the software world, BUT,in the long run, I would be willing to bet that software would be much more intensely audited and tested before it shipped in the future.
That and there REALLY needs to be a law that eliminates the "nothing is our fault, neener neener neener EULA" crap. If they want a tangible profit, they need to have a similar law applied to them that tangible products elsewhere are forced to conform to. It's called normal consumer product warranties.
A long time ago I can see the need for software to be given a time frame to get up to speed on development. It is a mature sophisticated,entrenched and profitable industry now, these companies can be forced to be treated as competent adults in the market place if they are selling a product, no different from other industries. And there should be an actual legal time limit for products that are recallable, and it needs to be MANY years. In some cases, forever.
FORCE them to provide FREE replacement CDs on a one to one basis, no questions asked, that have all the same functionality of the original product, but have had the patches applied.
As many times as it takes.
Yes, "recalls" can be expensive to the company,THAT'S THE POINT, it has been shown in every other industry that it works, it is making for much better products in the market place, safer, more functional, better, and these companies are still profitable.
"Caveat emptor" is NOT the law of the land with other products, because we as a society decided that that sucked, bigtime, and passedlaws about it.
The software companies want it both ways, to be treated as if all their product is a tangible when it comes to profits and income, but they want no responsibility for their "products". Seriously insecure and malfunctioning products everyplace else get recalled. You aren't forced to become your own mechanic and just told how to fix stuff, even if the part is offered.
So, which is /.?
r rent-political-agenda issue?
Developers are responsible for secure code? Or, is it the Users?
Remember legislation that might effect open source projects into being responsible for the security of their code? Remember the uproar that caused?
Or is this another friendly gray-area-it-depends-if-it's-convenient-for-my-cu
Use Linux. Not only is there less adware/spyware/junkware, but you need to be root to install most software.
The problem is not end users. The problem is not the people writing the virii. The problem is so easy to see and so vanilla that most people have such a hard time seeing something so simple.
Windows is shit. It's swiss cheese for virii. It is an all around horrible OS. I'm not thinking about far earlier versions and where they got us. That part of MS history was rather nice. But where we are... uh... going today (lol) is to hell in a handbasket.
Security is not a product, it's a process. And step 1 is to get Windoze off of your servers.
I await the fan-boys who will scream how Win2K with Service Pack 69 is perfect. Jesus help them...
IPv6 has more than ample IP addresses for everybody. So in practice, IP addresses need not be limited.
But every network should have a firewall between it and the rest of the World. Also Some networks should have internal firwalls between sub networks, especially for computers handling more sensitive data.
-Nivag
I have been involved in several Sarbanes-Oxley 404 Internal Audits and let me tell you it's an uphill battle. First off I find myself dealing with people working in the financial department. This sort of makes since since 99% of Sarbanes-Oxley focuses on financial responsibility but when it comes to 404 specificly it doesn't make sense. I have been in the situation several times where the 404 internal audit was being funded from the finance department. This puts you in a situation where the IT department is at odds with you. They, the IT department, doesn't know who you are and you need to access all the security aspects of IT and physical security. So, not only do you have to convience the financial types that doing this audit is not optional but mandated by law you have to then convience IT types the same thing and you need access to all of their systems. Both are equally difficult because the financial types have a completly different definition of what an audit is and don't understand that an IT audit requires someone to physically check security of each device and run IDS and penetration testing. The IT people are just as hesitant. They understand quickly why you need to do this but don't want it to be a finance funding person doing the poking around. They want it to be an IT project. Most of the time they have someone in IT that says "heck I can do it" but don't understand the reasoning behind Sarbanes-Oxley's requirement for segregation of incompatible duties. Which means in a nutshell that you cannot be involved in a production or support role of the affected systems.
Being in the IT Security field I thought that this would be a big boom for my career but I have not seen it yet. 404 cleary states that someone has to be responsible for reporting on the security readiness of the company. I don't see how the audits I have performed meets this requirement. Does the 20+ page audits that I produce make the CFO think he can report on security readiness? I don't think so because security is something that changes on a day to day basis. Plus I would bet that the CFO is an end user to some of those systems (badge reader, workstation, email intranet, etc) and that this would prohibit him from being in that role. If I had the resources I would start a comapny and outsource the security audit and reporting responsibility. The major expense would be advertising / education of the corporations of the need of such a service.
Anyways, I could go on all day but in summary most corporations have no idea that they need this and the ones that do know don't understand it.
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
Hello people, Office Space anyone ?
Having lived in a corporate environment, and seeing others on TV... (the news, even)
Fixing a defect proactively is effectively equivalent to admitting guilt for the problem, and resulting effects. Think exploding Pintos. Part of the problem here is legal, part corporate. I suspect that there's legal exemption for, "We fixed it as soon as we learned of it," but not for the humpty-dump weeks of, "How often is it really deadly?" and, "Is it cheaper to pay off the victims than to fix the problem?" discussions. The result is that they have to turn a blind eye until forced to "discover" the problem, at which point the scales fall from their eyes, they take dynamic action, and look like heros.
As for software, especially the OS, slipstreaming fixes would be a nightmare. You have multiple points of distribution, multiple and variable length pipelines, and you really want it to look like a preinstalled fix, rather than a respin, just to keep things under control at the help desk.
Perhaps a more feasible suggestion: Since WinXP needs activation, at activation time evaluate the OS and either download or mail a CD with the updates, depending on user preference and bandwidth. That way the manufacturer has at least taken the steps to make the customer aware and get the fixes to him/her.
Yeah, right.
That's absolutely rediculous. Expecting employees to never need to make calls is assuming a whole lot. 1. You assume that the nature of the business is to have no contact with the outside world. I don't know any business models that can make money and manage to do that. If you do, please let us know. :-) 2. You assume employees never need (and should never) make personal calls during business hours. That's also rediculous. Disallowing employees to contact their families is a large inconvenience to them, one that will not only lower morale but also lead to many people quiting. If an employee performs well, who cares if he calls his family during work hours? Phone calls are relatively inexpensive. Most Fortune 500 companies spend far more on client calls to China and Japan in a month than they ever spend on personal calls in several years.
Every windows user is a sadomasochist.
In following that logic, If you steal a car from an auto dealer you should still be able to get service on that vehicle. Or presume there is a recall on that vehicle, you should be allowed to get the repair taken care of ?!? NO F'n WAY!
The question is whether the theft removes all the manufacturer liability for defective products. I don't believe it does.
Let's assume that I own a 2004 Ford Exploder and Ford issues a recall for faulty master cylinders that could cause a total loss of braking ability. Now, let's also assume that due to my self-important schedule I put off the recall work; the shop told me it'd be there a week, they have a ton of vehicles to fix, and I've got work, family, etc. obligations and I decide to wait to get it fixed.
Now, let's assume that someone steals the vehicle from my yard six months later. I still hadn't gotten the recall fixup (lazy, busy, whatever), and the theives crash my Exploder into a minivan full of 5th graders on the way to a soccer game due to the master cylinder problem from above.
Who's at fault, here?
You'd like to blame the thieves, but basic accident forensics shows that the master cylinder failed -- it wasn't reckless driving, speeding, etc. How about Ford? Well, they supplied the vehicle but they made a good effort to get it fixed. What about me? I blew it off, but because Ford's terms were so unacceptable, and I neither drove the vehicle in the accident nor did I create the defect.
The lesson for MS is that if we allow that the defect is ultimately at fault and the manufacturer held responsible, even the piracy of their software shouldn't eliminate their liability for defects, even if their products are used in a manner inconsistant with copyright law.
If MS wants to get back at crackers who use Windows Update, have it disable the network. Not only does this make the computers essentially worthless for most people, it shuts out the viruses, spyware and other crap. Refusing to provide ANY patches for them just feels like finger pointing by MS, and denial of any liability.
You get a +4 Interesting for saying "this is a big problem, let's hope"?
... is to make a switch to Mac OS X. It'd be costly to buy all the new hardware and software, however, consider that 99% of security problems would be evaporated in one swift move. That would certainly lessen the cost of security in the long run.
Men believe what they want. - Caesar
Ack. I have the pleasure of preparing for this type of audit in a couple of months. Like I don't have enough work already.
The IS group responsible for running the back-end systems met with some consultants to help prepare them for an audit a few weeks ago. Management controls and separation of duties are a huge part of the audit. From the reports I've read, little to no sanity checks are done to ensure that the recommendations make sense given the organizational structure and value of such systems to the company.
For example, I currently work with a development team of two; myself and a noob I'm training. I should also probably mention that my group used to be made up of five developers, each with several years experience at the company, until a merger eliminated all of their positions. Now I get to deal with a consultant telling us that we don't have sufficient controls in place because I perform development tasks and am responsible for administration of our *NIX systems, software releases, etc. I guess we're supposed to spend another 100K a year (benefits included) on someone whose sole responsibilities are to check out the latest release, build it, and then run the rsync scripts to push the changes to production?
Our current structure and protocols work well enough for the needs of the company. Why should we spend additional money for additional personnel/overhead when there's no apparent need?
Is it good, or is it whack?
I've seen this discussed dozens of times. Making something 100% secure is pretty much impossible. I've seen it in the 9/11 deconstructionism, I've seen it in the arguments for/against DRM, and now I'm seeing it in computer security.
Making something completely secure is folly. Telling someone else to make something completely secure is setting that person up for failure, which I wouldn't put past this administration.
And putting the responsibility of computer security in the chief executives? ("What color should we make the database?" "I hear mauve has the most RAM") I'll be waiting, over THERE (pointing very far away). Gimme a shout when it's over. Or I'll just listen for the explosion.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
If you thought PHBs were bad, just wait until your CEO (or even better), board of directors, starts telling you how to secure your/their computer networks from worms, viruses and other attacks.
The system you get will be the worst melange of marketing-driven products with all the right buzzwords.
Someday a Slashdot ID of 177180 will mean something.
Corporate CEO's always have and will continue to put security budgets at the bottom of the priority list until of course their internal networks are compromised. :)
How can IT keep users from installing software? Have you heard of restricting administrative access? This gets back to the fact that IT needs to know about securing workstations, has the tools and plans to implement that security effectively, is given the time to implement the plan, and actually implements good security. then there would be less problems directly related to bad security.
Saying that IT cannot protect machines from their users is saying IT doesn't have a clue about security. Fortunately this is not the case in all shops.
Grrliegeek
If you stop employees from using PC's to access the web, they'll use laptops/PDA's with wireless communications.
If you stop employees from using telephones, they'll use mobile phones or use VoIP.
Restrict all forms of communication, and you won't keep/recruit the best staff.
In a research environment, having access to the Internet is essential. Not only is accessing IEEE, ACM portals useful in accessing papers, but a Google search can also root out other papers, and check to see where the commercial and undergraduate knowledge has reached.
Being a sysadmin, and having to hop on google to find a solution to a problem in 5 minutes that otherwise might have taken me a trip home (to google) that night and back in the next day to fix it, I can certainly say that having internet access is crucial to being able to function. On the flip side, I know a lot of non-IT people that really use it for checking their stocks, their checking accounts, the news, finding jokes online, etc. Totally non-business related.
I remember one of my old jobs, where I was in charge of the proxy and the filtering rules, a guy actually went to human resources about the fact that he could access pagan sites on the net, but some christian sites (probably anti-abortion sites rejected by the policy) were restricted. My first question was, of course, how much *company time* did he spend trying to browse christian sites (obviously not work related) to find this?
Sure, I have finance.yahoo bookmarked, and check it real quick at the end of the day just to see what the market did (2 minutes), and I occasionally check my 401K balance (debatably somewhat work related, since it counts as "benefits")... but generally when I'm at work, I'm *working*.
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own telephone?
I've worked at many companies where every employee does not have their own phone. You think everyone on the factory floor has their own phone?
What definition of 'absolutely necessary' are we using here?
;)
Absolutely necessary as in "if we block access to the net, we'll have to get back to Solitaire". 'Nuff said.
You are more than the sum of what you consume. Desire is not an occupation.
Look...
If the janitor[1] comes up to you and says "The front door isn't secure, we need to put a lock on it. He gets ignored. He's only a janitor, gets paid peanuts, what could he possibly know.
If he puts on a suit and becomes a $200/hour security consultant and charges $15,000 for a security audit coming to the conclusion that, damn those doors should really have locks on them, he will be listened to. That advice is worth $15,000 after all... Isn't it...
[1] And yes, this *is* how systems administrators are viewed by man
Government of the people, by corporate executives, for corporate profits.
I think the situation with "cybersecurity" is part of the much larger problem that (at least in America) people these days are reactive as opposed to proactive.
Our idea of addressing crime is stiffer sentences and more prisons. Reactive, not proactive.
Our idea of fighting the spam problem is to pass more laws. Reactive, not proactive.
Most corporations don't really take security seriously until they have a serious security situation (say that 3 times fast) Reactive, not proactive.
The same thing goes for users. Nobody worries about viruses or worms until the third time they have to re-install Windows. Reactive, not proactive.
I have clients who know MS Outlook is a bad program, but they're too lazy to "learn something new"; same thing with IE alternatives. They'll spend 2 minutes installing Firefox and if one web site they use doesn't come up right, then they switch back to IE and blame it on the software.
Our idea of planning seems to involve reaching our hand out to stick a CD in our hard drive which promises to be proactive for us.
It seems for the majority, our society as a whole always seeks the "solution" to a problem which offers the most instant gratification. We use as an excuse, the adage, "If it ain't broke, don't fix it." even when we know something is broken but it hasn't fallen on our heads yet. The new adage should be, "If it doesn't explode in OUR face, then don't fix it."
I suspect the true solution to this problem lies in reprogramming the mainstream to appreciate the value of planning ahead and the not-always-obvious cause-and-effect relationship therein.
Well, I might believe that if there were fewer security issues and warnings.
Shipping an OS with ports open is not a prudent security decision.
Shipping an OS with ports open with no way to close them save installing an extra piece of software called a "firewall" is infuriating.
An attitude of security through obscurity a software firm whose software products run on 90% of all desktop computers is naive.
Using an environment that allows the programmer to make an error that allows a hostile data packet to corrupt memory without even so much as a warning is foolish.
Continuing to use said environment after repeated (read hundreds if not thousands) vulnerabilities are discovered in all manner of software is totally irresponsible.
In my mind, the best thing that would come out of making businesses liable for their security failures would be that these businesses would start to demand systems that were designed with security in mind.
You see, the problem isn't simply that people aren't applying patches. The problem is that software is being released without security in mind. Leaving ports open unnecessarily, not letting a user lock down their own machine, creating an operating environment so prone to virus exploits, using C/C++ inappropriately when dealing with potentially hostile IO data etc... represent the root causes of the current batch of problems. For leaders in software industry to be critical of a user for not installing a patch is, in my mind, hypocrisy of the highest order. This is why I say, this idea of making users responsible for failures in a vendor's software is backwards.
Check this "Seth Fink-le-stein" posting history, YHBT! Mods on crack again!
It is reccomended that everyone reading this update to the latest version of their anti-virus software, and keep their operating system up to date by downloading and installing the latest patches from windowsupdate.com.
boycott slashdot February 10th - 17th check out: altSlashdot.org
For those of you wondering about OCTAVE: it is the Operationally Critical Threat, Asset, and Vulnerability Evaluation. (It's not really about survivability as such.)
Please understand that what follows is my opinion only.
OCTAVE is interesting: it involves getting input from all levels of the organization to determine what is important to whom and why. This is a pretty effective way to figure out a) what would happen/be affected if $RESOURCE became unavailable, and b) how to best protect $RESOURCE. Having said that, OCTAVE is probably a bit too time-consuming for most organizations; many companies, for example, may not be able to dedicate all the requisite personnel - most of them mission-critical - to a potentially months-long OCTAVE cycle.
I wouldn't say it is outdated; on the contrary, it is conceptual (vice purely operational) and as such ages better than most technical FAQs and HOWTOs.
There is a version for small[er] businesses - i.e. fewer than 100 people - called OCTAVE-S (colloquially called OCTAVE Lite). You can read about it here (scroll down a bit).
Cheers!
I want to drag this out as long as possible. Bring me my protractor.
>When a patch has been on the web for 6 months, its not the software company's fault that the user company has no policy on updating software, insufficient IT staff, and no end-user training.
Yesbut.
It is still the software company's fault that the bug existed in the first place. If the client company doesn't dare install patches because previous patches have crashed the production systems, that's the software company's fault. If the software company's salespeople showed a TCO study that didn't include monitoring for patches, building a regression lab to test patches before deploying them, rolling out patches, and doing this weekly or monthly, then the salespeople misled the client company.
If your car blows up because you got a recall notice six months ago and you ignored it, your fault. If your car gets three recall notices a week, there's something wrong at the manufacturer.
This is why the security biz has a cliche that "senior management support" has to come before any security initiative can succeed.
Think of a company as a machine. The CEO has the root password for that corporate machine. All the black and beige boxen are just components of the corporate machine.
If the CEO issues the wrong commands or even simply neglects the right ones, security is toast.
Expect that they'll be accountable only for following "best practices". A huge unreadable document will define "best practices", auditors will verify that the right paperwork is happening, and a small amount of the effort may wind up improving security.
The real answer is something unmeasurable, namely a cultural change. My dad saw good cultures when he worked as a chemical engineer. His employers were keeping plants safe, not securing computers, but they used the same mindset as a security-conscious company. Everyone from the CEO to the janitor paid attention to safety. The CEO authorized keeping low inventories of dangerous chemicals even if it meant extra downtime. The janitor showed up at weekly meetings to review near misses, to brainstorm what could go wrong, and to fix both.
Good luck legislating that.
Am I the only one who read this title as
"A Need for Greater Cybersexuality?"
(Or am I just the only one dumb enough to post it?)
The context was a discussion of shipping OS'es with patches already applied. For example, OEM's could get master copies that are up-to-date for patches.
Here's an excerpt from the insightful AC above:
EXCERPT BEGINS
-snip-
As for software, especially the OS, slipstreaming fixes would be a nightmare. You have multiple points of distribution, multiple and variable length pipelines, and you really want it to look like a preinstalled fix, rather than a respin, just to keep things under control at the help desk.
Perhaps a more feasible suggestion: Since WinXP needs activation, at activation time evaluate the OS and either download or mail a CD with the updates, depending on user preference and bandwidth. That way the manufacturer has at least taken the steps to make the customer aware and get the fixes to him/her.
EXCERPT ENDS
a more appropriate sig to a particular comment.
Isn't the internet getting that way too ?
Shouldn't the real question be why aren't fortune 500 companies billing M$ for the lost revenue caused?
All I hear all the time are these people "My PC's infected!" or "I have to use Adaware!" Honestly. Micro$oft SUCKS. Point blank. Simple to understand, seeing as how they have the msot security problems on the face of the planet. Mac's Don't have this problem. "That's because Macs don't have as big of a user base." And? Do you REALLY think that's the problem? Or is it that M$ has screwed so many people over, they're sick and tired of it and fight back...? "Why buy a Mac, it's so expensive!" You get what you pay for. You want stability, ease-of-use, and NO POP UP ADDS...use a Mac. "There's harldy any software available for it." B.S. Open your eyes and look at Macupdate and Versiontracker alone. Not to mention apple.com's store. There's something for everything. Be it open source, shareware, or commercial-ware. Linux doesn't have this problem. "That's because no one wants to use command line, so there's few users." Right...And that's why most of the eastern government's are thinking of switching to Linux, eh? GUI's are available to Linux users. Mind you, I don't use Linux myself, but I know enough about it to tell you they don't have to worry about buying some crap software from Symantec (AKA Norton)... So...how about people stop bitching about the problems of Virii and start using something else? It saves us all on the other side of the fence from hearing your blood-curdling screams...
It managers have bosses who want Kazaa, etc. and have the power to get it. So the breaches will always be there.
I think too many /.ers are taking this too personally. I doubt anyone is seriously talking about taking away YOUR access.
:)
There will always be a class of people within any company that should have access to the internet. The questions is whether or not every employee should be a member of that class. For example, I work in a small mortgage company. As you may know, the mortgage industry has slowly but surely moved forward into the computer age. Unfortunately, they are nowhere near any standards that can aide in software development. Why is this a problem? Well, within the lifecycle of a single loan, it will be pushed back and forth between a handful of companies. However, since the industry is cluttered with hundreds of companies for each step of the loan process, you can never be sure how you need to format your information to get from origination to closing. Even if the whole industry were paperless, there would still be too many data formats floating around. So why hasn't the mortgage industry ground to a halt? The web. You see, most of these companies use their crappy data formats internally, but provide access to their information through webservices and websites. Unfortunatley, too much of the process relies on the latter, but at least it's better than faxes!
In the end, as much as I'd love to unjack their ports from the switches, I still need to provide them with access in order to get their work done.
However, this doesn't mean that I think that employees have a right to internet access. I don't think any company should cower from its employees when it comes to data security. The only problem with being strict is that there are so many other screwups in the business world that put up with security holes, that you might actually lose empoyees if you come off as too strict. While my little mortgage company isn't a military research facility, we do handle some very sensitive data that could cause our borrowers some serious problems if it fell into the wrong hands. As an IT manager, I'd rather see Joe Illclickonanything take a walk than have our data compromised.
As some people have pointed out, there are some good reasons why some employees should have internet access. But I don't think the secretary NEEDS dictionary.com. I mean, can't she use her spell checker, or god-forbid use a dictionary? Also, if you need to blow some steam during lunch, go play gameboy in your car, or how about socializing with your co-workers?
Remember, There is no patch for Human Stupididty.
$>man woman
$>Segmentation fault (core dumped)
Are you telling me that everyone on the factory floor has internet access?
Saying that IT cannot protect their machines from their users is not really accurate until you add in the fact that there are constraints on what IT is allowed to do.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
In the real world, companies can be sued for faulty tangible products such as the (in)famous Firestone tire lawsuits from a few years ago.
When the products in question are intangible, magnetically/optically encoded ones and zeroes loaded from tangible, intrinsically inexpensive media and executing in a computing environment not in the direct, complete control of the software vendor--all bets are off!
In other words, for example, should the software vendor be held responsible for damages caused by a virus-infected copy of their program installed on their customer's machine? I say 'no' unless it can be proven BEYOND A SHADOW OF A DOUBT that the software WAS infected on one of the software vendor's machines PRIOR to it being mass produced and sold to the customer.
I think this is how my PC got the troublesome Klez virus some time ago. After getting rid of it, I treat such system security as VERY IMPORTANT--taking such precautions as running an antivirus program and a software firewall at (pratically) ALL TIMES.
Yeah, right.