Slashdot Mirror
A Need for Greater Cybersecurity
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own internet access?
Restricting the internet to a single machine (or battery of machines) that only sent and received external email and forwarded it on to the internal network seems like the absolute maximum internet connection necessary for most businesses.
Surely employees don't have to surf the web at work?
I have been pwned because my
Corporations announce they should be responsible for securing their own networks.
(as opposed to relying on magical network security elves that secure your network while you sleep and provide freshly made footware in the morning)
So the people that use the software should assume liability for not patching holes but the manufacture assumes no responsibility for leaving security holes in their product to begin with? This sound very backwards to me.
Yea, but how will we post on slashdot then?
Think about the slashdot. Think!
Let business Darwinism takes its course: those that implement effective countermeasures survive and thrive in a competitive marketplace, those that don't...
When you make demands like this, the next thing you know, you'll try to make them directly responsible for their corporate financial statements.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
That's not to say that IT security and virii aren't devastating. Just that putting clueless buzzword-directive-issuers in charge, instead of those who understand the implications and directly deal with customers, doesn't solve anything.
It's hard enough to make them take responsibility for things like overstating earnings and embezzlement. How exactly are they going to be forced to be accountable for this?
Where's my lobbyist? Right here.
I know of one large government agency that recently had to turn off all linux machines. Why? There was no anti-virus software installed on them, and the "security czar" required such software on all servers.
This is typical. Focus on just one part of a greater problem. The issue is security overall. Your computers can have the most advanced security possible, but it can become useless with a few misplaced words from one of thousands of employees, or a document that missed an appointment with the shredder. When I worked in tech support, I can't count the number of times I found usernames and passwords in plain view on post-it notes...the "security conscious" employees would put them under the keyboard. Outside vendors could see any of this at will.
The internal network can also be destroyed by a simple click on an email attachment. The real issue here is educating people about computers, and expecting a certain level of competency. To many employees are using something they don't understand; it would be like giving company cars to people who don't know how to remove the keys from the ignition and lock the doors.
...
For the last 8 years, I would not have been able to do any of the work I've been paid to do if I didn't have timely access to the web. It's to the point that I now wonder how I was able to have any work done 15-25 year ago!!! Granted, not all work **REQUIRES** it, but if you start discriminating between functions at work, you will get more disgruntling than good work done; it has come to the point that web access is nothing less than telephone access.
However, granting internet access to employees doesn't mean that the barest minimum security and/or monitoring should not be deployed. In fact, it would be quite foolish to grant unrestricted/unmonitored internet access to employees.
I think it's great that attention is being drawn to security. I think that there should be triple damages for a company releasing data defined private or against any agreement you had pre-arranged. Yet how are you going to protect your data when you outsource your transaction to some place that doesn't live by these rules? You can't. Except recognize that certain corporation outsource and use this information for your decision on who to use. Evaluate it and if you feel that this type outsourcing isn't protecting your data and interests than don't use said corporation.
1. Allow insecure software to become entrenched with monopoly power
2. Watch while a global industry in wormware develops to take advantage of this
3. Blame the users for not preventing it.
Excellent strategy, which will help enormously. While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault."
Why... why are companies allowed to sell software that has known defects? Surely it's technically possible to ensure that every installation of Windows XP leaves the shop with all necessary patches?
Ceci n'est pas une signature
The problem solution isn't the lack of CEO involvement, it's the lack of clout technology officers have. People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't.
This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are fools.
One of the main flaws to all this: they used representatives from technology companies. Did they never consider talking to security experts? Despite recent changes, the American higher education system has some of the best research institutes in the world, and amazingly enough, there are experts at those institutes! Even better, those experts are relatively unbiased! Oh, the possibilities!
Strangely enough, that's not the problem. the problem is that there are too many governmental enablers. The government gives all sorts of help to companies who suffer losses from cybersecurity, so they have no motivation to secure themselves. What idiocy.
I guess that, in general, I would have to say most of these problems are caused by governmental stupidity and corporate vileness, but there is still hope for the future, as there are proposals to force businesses to have regular cyber-security audits, as well as other measures.
Right now the current level of technology in commercial OS systems (I mean Linux/BSD/etc. too) is not enough to stop worms before they can spread.
You can (try) to patch all your services and stay ahead of vulnerabilities, but in a very large organization unpatched machines can fall through the cracks, and in a small organization there may not be enough skilled staff to keep everything patched.
User edjimukation (sic) is all well and good, but unfortunately there will always be a population of Darl's who will willfully ignore best practices and try to do stupid things with viruses and whatnot.
IMHO there are solutions to at least some of the more stupid problems with security. I think the best ones are through least privilege enforcement with Mandatory Access Controls (see SELinux as one very good commercially available example, I also like Domain & Type Enforcement for Linux too!) With MAC systems root is no longer a god, and you have a much richer ability to limit what user's can do with things like email attachments. Worms can also be contained much better since you define a policy of what a server is supposed to do instead of trying to pattern match every possible type of malware (an impossible job in the long run).
So why is this rambling post not entirely OT? Well a bigger organizatio like a corporation will have a greater incentive and a greater ability to start experimenting with MAC systems that are both secure and usable in an office environment. Bigger companies have more resources to work with software vendors to iron out bugs and kinks in the system, and then the refined products can start to filter down to consumer grade products, where security is usually almost non-existant. It is a slow process, but we desparately need better methods and technologies than the standard issue patch & pray employed in today's networks.
AntiFA: An abbreviation for Anti First Amendment.
This is gonna land me in deep water but it's definetly a two way affair -
if the CEO's spend the required money hiring people to take on the responsibility of securing a network then why is it the ceo's fault?
If the people being hired are not competant, but played the 'i know what im doing' role then it is still their fault.
The only time I see it as acceptable that the ceo gets the blame is when the ceo him/herself directly contributes to the lack of security or employee laxness.
The article, imho, is hinting that if a company was to go down due to security problems then it's the ceo who gets the blame if, and when, they are led to believe their networks are (or were in this case) secure/d by an (incompetent) tech-support guy.
I say it truthfully AND before I become flamebait: I have the utmost confidence for *most* IT people, it's usually the users who contribute to the problem not IT departments, but I truly do, in this case, feel sorry for the CEO (with their huge paychecks and massive perks) when they get the blame for something that they did honestly have a go at fixing/preventing.
Worms/Virii are designed to be destructive and disruptive and there is little to no way that most users will ever learn that they need to be more cautious about security without having their credit card details exposed by a black-hat or their personal PC brought to a halt by the worlds least advanced virus - becausethe user hadn't patched their virus scanner.
It's a case of once bitten twice afraid - and if it's kept that way by the community, as long as it doesn't affect me, then I'm all for it - I just hate cleaning up after one has hit.
New rule for virii - release a strain to the public and release a quick-repair tool at the same time to slashdot!
Surely employees don't have to surf the web at work?
No, they don't need to surf at work. However, being a BOFH and cutting off internet access to the employees doesn't do much for employee morale.
Sooner or later all your good employees will leave, and you'll be stuck with disgruntled employees who don't have the skills to get another job (and are underqualified for the one they have), or recent grads who have no other choice but will leave as fast as they can. You'll lose money in training and recruiting costs.
Draconian measures might save money in the short run, but keeping employees happy does much more for employee retention.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
What definition of 'absolutely necessary' are we using here?
:) ).
Quick anecdote: I used to work for a large company that made web authoring tools. At some point we had to ask ourselves whether we still wanted NFR versions of our rather expensive software available to every employee on the intranet. Was it absolutely necessary for the receptionist to install an HTML editing environment? Creating HTML was not part of his job.
Our decision was that if our receptionist takes an interest in our own products and wants to play with them, that's a Good Thing[tm Martha Stewart] and should be encouraged. It'll make him more interested in the company and a more committed employee; we might find out that he's actually a decent designer and can contribute more to the company in our web design group. Did the NFR products get 'pilfered' every once in a while? Sure. But I'll bet you that 95%+ of the pilfering that was going on with them was to people who wouldn't have purchased them anyway -- but now were using them, and talking about them (mostly positively, we hoped
I work now for a company that doesn't allow general internet access for 90%+ of its employees. I think disallowing general internet access is symptomatic of a certain sort of relationship the company wishes to maintain with its employees and is indicative of how it thinks of them -- and it's not indicative of a particularly high level of trust in, or care for, the employees.
Left to my own devices, I'd rather put in a robust anti-virus and anti-malicious-code system coupled with employee education and discipline for people who break the minimal rules and then let the employees loose. Will some of them surf during work hours and damage their productivity? Indubitably. I still think that the overall benefit in employee morale and easy access to information is going to be worth the occasional loss from someone who can't control his surfing.
I have always believed that the company creating the software should be held responsible for security holes, bad code, backdoors, etc.,. in their own damn code.
Given a way to easily update applications (which virtually every useful and enterprise program has in some form) the only way the end-user should be held responsible if is they haven't stayed on top of these updates.
I can see gray areas where exploits are unknown to the software creators, however once made aware either via direct communications or one of the many vuln/exploit websites they should be required to fix the vunerability in a timely manner.
What really gets me is that MS for example clearly knows that probably 1/2 of the Windows installs are pirated versions and they purposefully disallow the Windows Update feature on these copies. I'm willing to bet a good portion if not most of the trojaned and wormed zombie boxes out there are of this class. Perhaps if MS just sucked it up and turned on Windows Update by DEFAULT and allowed pirated versions to download AT LEAST the critical security updates the Internet would indeed be a much happier place.
BTW, I'm a predominantly Windows user most of the time, so don't just file this under 'hating'.
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
> If your IT department doesn't know how to kep a network secure....
How can they keep a network secure if their own users are working against them by installing crap on their PCs like Kazaa or whatever else they think looks fun? They can't really protect a network if the people inside the network are the problem.
Isn't it about time to really assess whether it is absolutely necessary to provide every employee with their own telephone?
Restricting telephone calls to a single secretary (or secretarial pool) that only make and receive calls and forwarded messages on to the internal workforce seems like the absolute maximum telephone usage necessary for most businesses.
Surely employees don't have to make calls (especially personal) while at work?
The problem is not end users. The problem is not the people writing the virii. The problem is so easy to see and so vanilla that most people have such a hard time seeing something so simple.
Windows is shit. It's swiss cheese for virii. It is an all around horrible OS. I'm not thinking about far earlier versions and where they got us. That part of MS history was rather nice. But where we are... uh... going today (lol) is to hell in a handbasket.
Security is not a product, it's a process. And step 1 is to get Windoze off of your servers.
I await the fan-boys who will scream how Win2K with Service Pack 69 is perfect. Jesus help them...