Slashdot Mirror
A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
So the people that use the software should assume liability for not patching holes but the manufacture assumes no responsibility for leaving security holes in their product to begin with? This sound very backwards to me.
Let business Darwinism takes its course: those that implement effective countermeasures survive and thrive in a competitive marketplace, those that don't...
This is typical. Focus on just one part of a greater problem. The issue is security overall. Your computers can have the most advanced security possible, but it can become useless with a few misplaced words from one of thousands of employees, or a document that missed an appointment with the shredder. When I worked in tech support, I can't count the number of times I found usernames and passwords in plain view on post-it notes...the "security conscious" employees would put them under the keyboard. Outside vendors could see any of this at will.
The internal network can also be destroyed by a simple click on an email attachment. The real issue here is educating people about computers, and expecting a certain level of competency. To many employees are using something they don't understand; it would be like giving company cars to people who don't know how to remove the keys from the ignition and lock the doors.
...
For the last 8 years, I would not have been able to do any of the work I've been paid to do if I didn't have timely access to the web. It's to the point that I now wonder how I was able to have any work done 15-25 year ago!!! Granted, not all work **REQUIRES** it, but if you start discriminating between functions at work, you will get more disgruntling than good work done; it has come to the point that web access is nothing less than telephone access.
However, granting internet access to employees doesn't mean that the barest minimum security and/or monitoring should not be deployed. In fact, it would be quite foolish to grant unrestricted/unmonitored internet access to employees.
Many research materials for the scientific industry rely on unfettered internet access. The heads of management want to see results and they don't want to pay to maintain internal libraries. The IT department doesn't want to establish tunnels and VPNs for every available online resource and database. While more secure it would bring availability to a grinding halt.
The management heads who like to crack the whip need to make a choice: if they take sadistic joy in cracking the whip then they're either going to have to provide the access (and take responsibility for the contingencies) or they're going to have to lay off the whip. The third option is to continue doing what they're doing: crack the whip as hard as possible and find a scapegoat when the bleeding gets too bad. It's worked for several decades but we're fast approaching a critical mass of disgruntled and blacklisted talent.
With the social system in America heading freight train like towards mediocrity, however, it's no surprise that corporations take no responsibility for the good talent that they use up and throw away like so many expendable human batteries. The bottom line is the dollar sign. For the people closest to the top who continue to earn profit there's no need to take responsibility for the lives they've ruined.
+++ATHZ
Even if it's not actually essential, net access is now viewed as essential by enough workers that taking it away will hurt morale.
1. Allow insecure software to become entrenched with monopoly power
2. Watch while a global industry in wormware develops to take advantage of this
3. Blame the users for not preventing it.
Excellent strategy, which will help enormously. While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault."
Why... why are companies allowed to sell software that has known defects? Surely it's technically possible to ensure that every installation of Windows XP leaves the shop with all necessary patches?
Ceci n'est pas une signature
The problem solution isn't the lack of CEO involvement, it's the lack of clout technology officers have. People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't.
This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are fools.
One of the main flaws to all this: they used representatives from technology companies. Did they never consider talking to security experts? Despite recent changes, the American higher education system has some of the best research institutes in the world, and amazingly enough, there are experts at those institutes! Even better, those experts are relatively unbiased! Oh, the possibilities!
Strangely enough, that's not the problem. the problem is that there are too many governmental enablers. The government gives all sorts of help to companies who suffer losses from cybersecurity, so they have no motivation to secure themselves. What idiocy.
I guess that, in general, I would have to say most of these problems are caused by governmental stupidity and corporate vileness, but there is still hope for the future, as there are proposals to force businesses to have regular cyber-security audits, as well as other measures.
Right now the current level of technology in commercial OS systems (I mean Linux/BSD/etc. too) is not enough to stop worms before they can spread.
You can (try) to patch all your services and stay ahead of vulnerabilities, but in a very large organization unpatched machines can fall through the cracks, and in a small organization there may not be enough skilled staff to keep everything patched.
User edjimukation (sic) is all well and good, but unfortunately there will always be a population of Darl's who will willfully ignore best practices and try to do stupid things with viruses and whatnot.
IMHO there are solutions to at least some of the more stupid problems with security. I think the best ones are through least privilege enforcement with Mandatory Access Controls (see SELinux as one very good commercially available example, I also like Domain & Type Enforcement for Linux too!) With MAC systems root is no longer a god, and you have a much richer ability to limit what user's can do with things like email attachments. Worms can also be contained much better since you define a policy of what a server is supposed to do instead of trying to pattern match every possible type of malware (an impossible job in the long run).
So why is this rambling post not entirely OT? Well a bigger organizatio like a corporation will have a greater incentive and a greater ability to start experimenting with MAC systems that are both secure and usable in an office environment. Bigger companies have more resources to work with software vendors to iron out bugs and kinks in the system, and then the refined products can start to filter down to consumer grade products, where security is usually almost non-existant. It is a slow process, but we desparately need better methods and technologies than the standard issue patch & pray employed in today's networks.
AntiFA: An abbreviation for Anti First Amendment.
A relative of mine works for Oxford Health Insurance, where they have to 'apply for internet access'. This kind of scrutiny hurts company morale, espcially if you are not one of the illuminati whose packets are permitted to pass.
Interent access at a computer today is something that is taken for granted, it is assumed when you sit at a computer that you will be able to get online, especially at your office. I liken restricting internet access to the removal of Solitaire from office PCs. Sure, your employees shouldn't be playing solitaire when they should be working, but what's so wrong about getting in a game or two on your lunch break, if its what you enjoy?
As far as security goes, that's a problem for your IT crew. IT departments are designed to support and educate users, but with the increasing amount of elitism among IT workers, their strategy seems to be getting rid of the users, so they don't have to deal with them, i.e. dropping internet access. If your IT department doesn't know how to keep a network secure, then guess what guys? It's time to learn Hindi.
Surely employees don't have to surf the web at work?
No, they don't need to surf at work. However, being a BOFH and cutting off internet access to the employees doesn't do much for employee morale.
Sooner or later all your good employees will leave, and you'll be stuck with disgruntled employees who don't have the skills to get another job (and are underqualified for the one they have), or recent grads who have no other choice but will leave as fast as they can. You'll lose money in training and recruiting costs.
Draconian measures might save money in the short run, but keeping employees happy does much more for employee retention.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
What definition of 'absolutely necessary' are we using here?
:) ).
Quick anecdote: I used to work for a large company that made web authoring tools. At some point we had to ask ourselves whether we still wanted NFR versions of our rather expensive software available to every employee on the intranet. Was it absolutely necessary for the receptionist to install an HTML editing environment? Creating HTML was not part of his job.
Our decision was that if our receptionist takes an interest in our own products and wants to play with them, that's a Good Thing[tm Martha Stewart] and should be encouraged. It'll make him more interested in the company and a more committed employee; we might find out that he's actually a decent designer and can contribute more to the company in our web design group. Did the NFR products get 'pilfered' every once in a while? Sure. But I'll bet you that 95%+ of the pilfering that was going on with them was to people who wouldn't have purchased them anyway -- but now were using them, and talking about them (mostly positively, we hoped
I work now for a company that doesn't allow general internet access for 90%+ of its employees. I think disallowing general internet access is symptomatic of a certain sort of relationship the company wishes to maintain with its employees and is indicative of how it thinks of them -- and it's not indicative of a particularly high level of trust in, or care for, the employees.
Left to my own devices, I'd rather put in a robust anti-virus and anti-malicious-code system coupled with employee education and discipline for people who break the minimal rules and then let the employees loose. Will some of them surf during work hours and damage their productivity? Indubitably. I still think that the overall benefit in employee morale and easy access to information is going to be worth the occasional loss from someone who can't control his surfing.
I have always believed that the company creating the software should be held responsible for security holes, bad code, backdoors, etc.,. in their own damn code.
Given a way to easily update applications (which virtually every useful and enterprise program has in some form) the only way the end-user should be held responsible if is they haven't stayed on top of these updates.
I can see gray areas where exploits are unknown to the software creators, however once made aware either via direct communications or one of the many vuln/exploit websites they should be required to fix the vunerability in a timely manner.
What really gets me is that MS for example clearly knows that probably 1/2 of the Windows installs are pirated versions and they purposefully disallow the Windows Update feature on these copies. I'm willing to bet a good portion if not most of the trojaned and wormed zombie boxes out there are of this class. Perhaps if MS just sucked it up and turned on Windows Update by DEFAULT and allowed pirated versions to download AT LEAST the critical security updates the Internet would indeed be a much happier place.
BTW, I'm a predominantly Windows user most of the time, so don't just file this under 'hating'.
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
... buy out those that do.
<insert witty linux comment here>
> If your IT department doesn't know how to kep a network secure....
How can they keep a network secure if their own users are working against them by installing crap on their PCs like Kazaa or whatever else they think looks fun? They can't really protect a network if the people inside the network are the problem.
I know you were modded funny, but, why would servers need anti-virus software, even if they were Windows servers? Do we have sysops that configure servers to execute binaries off of their own shares?
Fred
"A fool and his freedom are soon parted"
-RMS
Surely employees don't have to surf the web at work?
I am an embedded systems firmware engineer at a small (~20 employees) comapny. In addition, I manage the network here, maintain the workstations and purchase/setup any new computers required. I am going to state unequivocally that I simply could not do my job(s) without Internet access.
Whether it is finding, downloading and installing the latest drivers for a new or existing system, researching new microcontrollers for new product development, chasing descriptions of the latest viruses I need to be aware of, etc, etc, there is simply no way I can do without Internet access.
On a more mundane level: the receptionist here uses dictionary.com constantly while she composes mailings and newsletters for our company; purchasing now does most of the ordering on-line with parts suppliers and has a list of suppliers that are only available with Web access for shortages of critical components; and the machinist, fer chrissakes, recently used a system on the manufacturing floor to look up a particularly challenging process to make a spring for a product that absolutely had to ship the next day.
I am not even going to mention e-mail: it has grown into a huge resource for dealing with customers and suppliers, second only to the telephone.
In short, I feel that cutting off Internet access to any person in the company that uses the computer on a daily basis (and some, like the machinist I mentioned above, that don't use it every day) is equivalent to shooting yourself in the head in the business sense. Let me also mention that our firewall is very tight, we simply do NOT use IE or outlook/exchange server beacuse of security issues and I keep all the employees informed on what is currently making the rounds in the way of spam-mail/viruses/adware/spyware. We have not had ANY major infections in the last 3 years.
If you don't trust your employees to use the resources wisely, then you need new employees, NOT restricted Internet access!
One thing open source software will never fix is poor administration, which really is a large part of the problem. Sure, you escape virus and worms, until someone write one for Linux, BSD, MacOSX, whatever. Most virusses no longer need security holes in the operating system or the end user software, they exploit user ignorance.
Im all for companies using open source software, just don't think it will fix all your problems.
The problem is not end users. The problem is not the people writing the virii. The problem is so easy to see and so vanilla that most people have such a hard time seeing something so simple.
Windows is shit. It's swiss cheese for virii. It is an all around horrible OS. I'm not thinking about far earlier versions and where they got us. That part of MS history was rather nice. But where we are... uh... going today (lol) is to hell in a handbasket.
Security is not a product, it's a process. And step 1 is to get Windoze off of your servers.
I await the fan-boys who will scream how Win2K with Service Pack 69 is perfect. Jesus help them...
By running anti-virus software on fileservers you can avoid problems caused by clients with misconfigured or obsolete AV software. I run AV software on my company's Linux based fileservers for exactly that reason.
Forget diamonds, copyright is forever.
... is to make a switch to Mac OS X. It'd be costly to buy all the new hardware and software, however, consider that 99% of security problems would be evaporated in one swift move. That would certainly lessen the cost of security in the long run.
Men believe what they want. - Caesar
If you thought PHBs were bad, just wait until your CEO (or even better), board of directors, starts telling you how to secure your/their computer networks from worms, viruses and other attacks.
The system you get will be the worst melange of marketing-driven products with all the right buzzwords.
Someday a Slashdot ID of 177180 will mean something.
How can IT keep users from installing software? Have you heard of restricting administrative access? This gets back to the fact that IT needs to know about securing workstations, has the tools and plans to implement that security effectively, is given the time to implement the plan, and actually implements good security. then there would be less problems directly related to bad security.
Saying that IT cannot protect machines from their users is saying IT doesn't have a clue about security. Fortunately this is not the case in all shops.
Grrliegeek
I think the situation with "cybersecurity" is part of the much larger problem that (at least in America) people these days are reactive as opposed to proactive.
Our idea of addressing crime is stiffer sentences and more prisons. Reactive, not proactive.
Our idea of fighting the spam problem is to pass more laws. Reactive, not proactive.
Most corporations don't really take security seriously until they have a serious security situation (say that 3 times fast) Reactive, not proactive.
The same thing goes for users. Nobody worries about viruses or worms until the third time they have to re-install Windows. Reactive, not proactive.
I have clients who know MS Outlook is a bad program, but they're too lazy to "learn something new"; same thing with IE alternatives. They'll spend 2 minutes installing Firefox and if one web site they use doesn't come up right, then they switch back to IE and blame it on the software.
Our idea of planning seems to involve reaching our hand out to stick a CD in our hard drive which promises to be proactive for us.
It seems for the majority, our society as a whole always seeks the "solution" to a problem which offers the most instant gratification. We use as an excuse, the adage, "If it ain't broke, don't fix it." even when we know something is broken but it hasn't fallen on our heads yet. The new adage should be, "If it doesn't explode in OUR face, then don't fix it."
I suspect the true solution to this problem lies in reprogramming the mainstream to appreciate the value of planning ahead and the not-always-obvious cause-and-effect relationship therein.
Well, I might believe that if there were fewer security issues and warnings.
Shipping an OS with ports open is not a prudent security decision.
Shipping an OS with ports open with no way to close them save installing an extra piece of software called a "firewall" is infuriating.
An attitude of security through obscurity a software firm whose software products run on 90% of all desktop computers is naive.
Using an environment that allows the programmer to make an error that allows a hostile data packet to corrupt memory without even so much as a warning is foolish.
Continuing to use said environment after repeated (read hundreds if not thousands) vulnerabilities are discovered in all manner of software is totally irresponsible.
In my mind, the best thing that would come out of making businesses liable for their security failures would be that these businesses would start to demand systems that were designed with security in mind.
You see, the problem isn't simply that people aren't applying patches. The problem is that software is being released without security in mind. Leaving ports open unnecessarily, not letting a user lock down their own machine, creating an operating environment so prone to virus exploits, using C/C++ inappropriately when dealing with potentially hostile IO data etc... represent the root causes of the current batch of problems. For leaders in software industry to be critical of a user for not installing a patch is, in my mind, hypocrisy of the highest order. This is why I say, this idea of making users responsible for failures in a vendor's software is backwards.
All I hear all the time are these people "My PC's infected!" or "I have to use Adaware!" Honestly. Micro$oft SUCKS. Point blank. Simple to understand, seeing as how they have the msot security problems on the face of the planet. Mac's Don't have this problem. "That's because Macs don't have as big of a user base." And? Do you REALLY think that's the problem? Or is it that M$ has screwed so many people over, they're sick and tired of it and fight back...? "Why buy a Mac, it's so expensive!" You get what you pay for. You want stability, ease-of-use, and NO POP UP ADDS...use a Mac. "There's harldy any software available for it." B.S. Open your eyes and look at Macupdate and Versiontracker alone. Not to mention apple.com's store. There's something for everything. Be it open source, shareware, or commercial-ware. Linux doesn't have this problem. "That's because no one wants to use command line, so there's few users." Right...And that's why most of the eastern government's are thinking of switching to Linux, eh? GUI's are available to Linux users. Mind you, I don't use Linux myself, but I know enough about it to tell you they don't have to worry about buying some crap software from Symantec (AKA Norton)... So...how about people stop bitching about the problems of Virii and start using something else? It saves us all on the other side of the fence from hearing your blood-curdling screams...