Slashdot Mirror
A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own internet access?
Restricting the internet to a single machine (or battery of machines) that only sent and received external email and forwarded it on to the internal network seems like the absolute maximum internet connection necessary for most businesses.
Surely employees don't have to surf the web at work?
I have been pwned because my
This is really a very big problem plagueing the industry. Some one has to do something, and it's good to see people starting to notice this. Let's hope something worthwhile comes out of this.
"In questions of science the authority of a thousand is not worth the humble reasoning of a single individual."
Hoops?
So they will finally migrate to open source technology?
German Gov ITsecurity Agency BSI published a nice migration guide. I would like to see that on the other side of the Atlantic.
It's hard enough to make them take responsibility for things like overstating earnings and embezzlement. How exactly are they going to be forced to be accountable for this?
Where's my lobbyist? Right here.
> Surely employees don't have to surf the web at work?
Well, they might as well, but perhaps only through a proxy. That way, the PCs would not need to be exposed directly to the internet, but they would still have limited access to http/other resources. The rest could be done over a company network.
With IPv4 addresses becoming more scarce, it's probably worthwhile to avoid giving each employee their own address anyway, since the proxy would be able to provide sufficient identification of employees to web servers (I'm sure there's some HTTP header like Proxy-Username).
Perhaps some level of legislation would be good. How about a law(only for US) that would outlaw an open relay, requiring each mail server to be configured correctly. Or perhaps something that says an ISP like AOL or Comcast should not permit port 25 traffic beyond its router unless it comes from thier own SMTP server.
I realize lots of spam comes from overseas, but a lot also comes from aol.com,rr.com,comcast.net,etc.
Or we could just make commercial software vendors responsible for the quality of thier software.
In other words, Homeland security and the FBI blew all their money on booze, cigarettes, and hookers, so now someone else must pay to take care of problems like internet insecurity before they become problems.
But is it really that simple? Can all security threats be stopped before they start, or should the government be held accountable for part of it? Seems to me like they are trying to lay some responsibility on the big corporations (not a horribly bad thing) but the reasons behind this are not good. I think their attention is focused in the wrong places. Their attitude is that creating colored alert systems and making duct tape warnings is of more importance than securing the global internet infrastructure.
I guess keeping people focused on the T word (Terrorism)is key to keeping them from realizing that the executive branch really sucks right now.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I think it's great that attention is being drawn to security. I think that there should be triple damages for a company releasing data defined private or against any agreement you had pre-arranged. Yet how are you going to protect your data when you outsource your transaction to some place that doesn't live by these rules? You can't. Except recognize that certain corporation outsource and use this information for your decision on who to use. Evaluate it and if you feel that this type outsourcing isn't protecting your data and interests than don't use said corporation.
This is gonna land me in deep water but it's definetly a two way affair -
if the CEO's spend the required money hiring people to take on the responsibility of securing a network then why is it the ceo's fault?
If the people being hired are not competant, but played the 'i know what im doing' role then it is still their fault.
The only time I see it as acceptable that the ceo gets the blame is when the ceo him/herself directly contributes to the lack of security or employee laxness.
The article, imho, is hinting that if a company was to go down due to security problems then it's the ceo who gets the blame if, and when, they are led to believe their networks are (or were in this case) secure/d by an (incompetent) tech-support guy.
I say it truthfully AND before I become flamebait: I have the utmost confidence for *most* IT people, it's usually the users who contribute to the problem not IT departments, but I truly do, in this case, feel sorry for the CEO (with their huge paychecks and massive perks) when they get the blame for something that they did honestly have a go at fixing/preventing.
Worms/Virii are designed to be destructive and disruptive and there is little to no way that most users will ever learn that they need to be more cautious about security without having their credit card details exposed by a black-hat or their personal PC brought to a halt by the worlds least advanced virus - becausethe user hadn't patched their virus scanner.
It's a case of once bitten twice afraid - and if it's kept that way by the community, as long as it doesn't affect me, then I'm all for it - I just hate cleaning up after one has hit.
New rule for virii - release a strain to the public and release a quick-repair tool at the same time to slashdot!
Seriously, yes, corporations *do* need to take better care of their systems, but I'd hazard a from-the-hip guess that the biggest problem these days as far as worm spreading is concerned is home machines and those in lesser "net developed" countries. In other words, ISP's need to become a little more responsible, and go about figuring out how/who/when to block certain ports from leaving their domain (like, say, 25).
I talk about stuff.
That's the first thing I thought of too. However, how often are security efforts stonewalled by braindead executive types who say "I want security", then later chastise the people who bring it to them for the effect it has on convenience? I'm currently engaged in that exact battle. They said "we want a security system to secure our documents", and when I rolled it out with some basic requirements: you must change your password every thirty days, passwords must be a mix of letters and numbers, and passwords must be at least 6 characters long. They screamed bloody murder about everything except the password length requirement.
In my experience, the single biggest obstacle to corporate security is office politics and executives who want "special treatment". How often do well-secured networks become infected because the CEO brought in a laptop from home and hooked into the network because they didn't feel a need to follow the security policy? How often have networks been compromised because a CEO wanted dialup access to the network and didn't want to "hassle" with any kind of strong authentication measures? How often have security efforts been blocked because nobody is willing to put out the money to implement a good plan? How often have security efforts been blocked because some executive had their hand down a vendor's pants and refused to use vendor with a better product because of it?
I don't executives should be responsible for implementation, but if it turns out that a compromise results from their inept decisions and attitude problems, well, hang the bastards out to dry.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
NIST, NIACAP, DITSCAP, ITSCAP, DCID, LMNOPCAP ..
UGH!!
Heck, the government needs look in house and first. They can't even establish a true "STANDARD" security process for the entire federal government, intel community, and defense department. Everyone wants to work off their own sheet of music.
At least a CEO/CIO has to report to the trustees or shareholders if something goes wrong.
Surely employees don't have to make calls (especially personal) while at work?
Sure, and every computer system works magically out of the box? What if that "enroll in a health care plan here" site doesn't work correctly? What if I need tech support to come down and install a local administrator account on my machine? My staff assisstant isn't nessecairly the person that I would want to have to talk directly to our help desk on my behalf.
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
They probably couldn't find every possible flaw and patch it before it leaves Redmond, not due to technical reasons, but because at some point they must keep income flowing in (please no flames here).
A 100% bugless windows would probably take a very long time (increase cost, increased consumer price), this is not necessarily a bad thing, but may drive the price of the Windows computer out of the average joe's hands (which seems to be contra Microsofts business strategy)
While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault.
I'm all for this, there are still a TON of people who don't even update their virus definitions, most likely because the AV software usually comes pre-installed and (in the case of Norton) definition renewals expire after a time. (though you used to be able to get around this by reinstalling).
Further, Firewall? what's that - the thing that protects you from engine heat? Something in your house that protects fire from spreading quickly.
The Internet is still relatively new to most people, and IMO when you sign up with an ISP, THEY should warn you about security threats on the NET. After all, no software vendor is providing net access. While the ISP is.
Further, an OS should ship with ALL NETWORKING DISABLED, how many people require even 1/3 of the features on an OS.
Should corporate officers take responsability for security, including the cyber variety? Of course! One wonders about the logistics for measuring their success, but that's not my point.
/. It doesn't change the real issue of why people, even those who know better, shortcut security principles every day.
The real day-to-day security problem is not in the CEO's office, at least not exclusively. We've all seen or had passwords on monitors, and under keyboards. We've all seen or used a birthday, family member, or pet as a "secure" password. We've all telneted when we should have SSH'ed, or HTTP'ed when we should have HTTPS'ed.
We're the same folks who've held the security door open for someone we didn't actually recognize. Changing the context to "cyber" just gets the article posted on
To be "secure", companies need to set a priority for security, and enforce policies with sanctions. In fairness, they should also provide people with tools for success, and for computing that means security hardware, security software and near constant security training.
Since doing it "right" costs money, companies will have to balance corporate security against their corporate economy. If it costs more to be "secure" than your assets are worth, then why bother?
Everyone these days are concerned about security. No more are thoughts on speed, or throughput, but "how secure can we make this" and "is there any way we can even stop brute force attacks on our encryption"
is IPv4 really that insecure? Why all the hype about IPv6 and its' insecure nature (if that really is the case).
More addressing, and as a quick answer it just makes more sense breaking the address up among subnets, etc. What more do we need for security? You can only get so secure before it's just insane.
In meat world, when a "patch" is needed, a recall of a consumer product, the physical object needs to go back to the shop, then gets returned with the fix in place. with software, even when it is provided on disk, this doesn't happen, the old physical media, the CD, is allowed to stay around.
I think if it's a tangible PROFIT they want, then it's the companies duty to provide a patched TANGIBLE product. They should be required to provide a PATCHED install CD, not just skate on saying "there's a downloadable patch available".
Example in meatworld. Lst year I found out two of my small cordless drills were recalled. The company paid to mail the old drills back to them, and they sent me new drills "patched"(they were basically brand new drills of a newer "release" style), they DIDN'T just send me via snail mail or email a set of instructions on how to "fix" the drills. I WASN'T required to show where I had bought the drills,nor if I had a "license to drill with them" or anything of the sort. I shipped the b0rked drills off to them on their nickle, I got patched drills back.
I say apply the SAME rules to software on CD's that are produced and sold for a tangible profit. if they want real money, they need to provide real normal warranties. Make them be forced to take your old CD back at their expense, and have to send you a new CD with the patches, etc. Lather rinse repeat until they bingo it's a much better idea to do it *right* in the first place.
IF they were forced by law to provide a replacement of their indistry-alleged "tangible" product that they tangibly "profit" from, it would cost them and wake them up. It would cause one of those "paradigm" shifts in the software world, BUT,in the long run, I would be willing to bet that software would be much more intensely audited and tested before it shipped in the future.
That and there REALLY needs to be a law that eliminates the "nothing is our fault, neener neener neener EULA" crap. If they want a tangible profit, they need to have a similar law applied to them that tangible products elsewhere are forced to conform to. It's called normal consumer product warranties.
A long time ago I can see the need for software to be given a time frame to get up to speed on development. It is a mature sophisticated,entrenched and profitable industry now, these companies can be forced to be treated as competent adults in the market place if they are selling a product, no different from other industries. And there should be an actual legal time limit for products that are recallable, and it needs to be MANY years. In some cases, forever.
FORCE them to provide FREE replacement CDs on a one to one basis, no questions asked, that have all the same functionality of the original product, but have had the patches applied.
As many times as it takes.
Yes, "recalls" can be expensive to the company,THAT'S THE POINT, it has been shown in every other industry that it works, it is making for much better products in the market place, safer, more functional, better, and these companies are still profitable.
"Caveat emptor" is NOT the law of the land with other products, because we as a society decided that that sucked, bigtime, and passedlaws about it.
The software companies want it both ways, to be treated as if all their product is a tangible when it comes to profits and income, but they want no responsibility for their "products". Seriously insecure and malfunctioning products everyplace else get recalled. You aren't forced to become your own mechanic and just told how to fix stuff, even if the part is offered.
Yeah, right.
The problem is not end users. The problem is not the people writing the virii. The problem is so easy to see and so vanilla that most people have such a hard time seeing something so simple.
Windows is shit.
This is so wrongheaded--Not windows eval, but the rest.
Yes, OS X is a great, infinitely more secure, OS. Yes, Linux is cool too.
And YES, the problem is too End Users, and Operators, and Developers, and Blackhats, and well...Us.
Windows sucks, and it deserves criticism for its security implementation, if such a thing exists, anyway. BUT, this "root of all computing evil" mentality is simpleminded tripe.
ALL software has bugs, and some software has "features" that deter security policies. There is no immune OS. An unpatched, poorly admin'ed Linux box is as exploitable as any Windows machine.
Just ask me. I set up my first Linux hobby box several years ago, using zero Linux clue, and it got owned in a day. (I took it down, developed clue, and redeployed successfully soon after, but I digress..)
End users with passwords on monitors/under keyboards, operators who telnet to infrastructure over sniffable networks, developers who ignore security, CEOs who don't invest in security hardware/software/training, and virus writers ALL deserve a slice of the blame pie.