Slashdot Mirror
Security Pros Bemoan the Need for Focus
Ant writes "Computerworld has an article about more proactive initiatives falling by the wayside. Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection."
and raise you an exponential synergy of consolidation and facilitation.
some people i know are so fed up of the state of internet security
shame that security has got so bad where people are now retreating from public networks, if thats now in 2004 what's it gonna be like in 10-15-20 years from now ? i shudder to think
Right? Because who else would write a summary like that.
I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
http://www.nwfusion.com/reviews/2004/110804rev.htm l/
Scanning for vulnerabilities on a regular basis is as pro-active as it gets, isn't it?
Dedicated Linux servers (root access) $45 p.M.
It is what IT is.
A slashdotting - you get the stick first and then the carrot !
Nearky 100'000 persons murdered in 5 days! Now they has been "liberate". George W. Bush is like Adolf Hitler: a genocide and a mad man and nothig better.
Looks like grammar teachers has liberate you too soon and nearky nothig good came out of it...
It sounds like security professionals are annoyed that they have to focus on anything. Wouldn't a more accurate headline be
"Security Professionals Bemoan Lack of Focus"?
Right now, it just sounds like security pros are whiny babies that don't want to do their jobs.
"Issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours", said Popinski.
I think this guy's just pissed that he doesn't have enough time to surf Slashdot at work.
For more secure Java Web Start info: http://www.scheduleworld.com/itsYourLife.html
Schedule your world with ScheduleWorld.com http://www.ScheduleWorld.com/ (Java Web Startable)
My thesaurus lists "tactics" as a synonym for "strategy."
I've been thinking about this quite a bit. I know that there are a ton of unscrupulous businesses and persons out there releasing spyware/malware and spamming, et al. In addition to that, I can't help but think that a lot of issues people have is that they treat computers largely as they would an appliance. It does some specific tasks and should continue to do so with as little human intervention as needed, at least in their eyes. When people realise that computers take a bit more commitment and dedication to run properly and even remotely secure things may start to improve.
( o ) one could say I'm rather baked
When I first saw the FDA requirements, I was horrified, but after thinking about it a while, I started wondering why al systems don't take this kind of approach.
It comes back to the old "when you're up to your ass in alligators..." problem. If you can deal with some issues on a more strategic level, you can try to design many of the day-to-day problems out of the system, allowing sysadmins to spend less time fixing the same problem over and over again.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security.
In just the first two paragraphs alone I was able to fill up my BULLSH*T BINGO card. Let's see if I can write a useless statements containing lots of buzzwords. What's really needed is a short term strategy with long term synergestic goals that transcend all layers of the organization and implement proactive world-class security. Yep, I still got it.
Just think, if executives had more of a strageic planning process for the business in general, then US companies might be healthier and stronger, instead of sacrificing the future for short-term profits.
I guess it is just a slooooow news day.
Dude. I don't doubt that bush is an idiot and that he lied about the reasons for the Iraq war but at the same time you're not much better. After all, you're lying about your figures eh?
And after all, at least bush removed an obviously evil dictator. No mercy for Saddam!
...is that I fought the establishment and refused to move our school from Mac to Windows. The few PCs we do have are running Fedora. While other schools in our area are having entire outages and needing their entire infrastructure locked down and cleansed, in the past 4 years we have NEVER had a security breach of any workstations or servers. Yet we are under pressure CONSTANTLY to give up on Apple and move to Windows for lame "standards" reasons.
//www.apple.com/macosx/
You want focus, here's your focus:
http:
I know I'll probably get modded a troll, but if you want a trouble free network/infrastructure, switch to Mac or in the very least Linux.
"Security Pros Bemoan the Need for Focus" ?
We've got SecurityFocus remember?
who hates the word "proactive"?
Assume I was drunk when I posted this.
.
"We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Yeah, all the new battles go to the guys with good names, like Batman, The Riddler and Dick Tracy.
The Security Pros are in two camps right now - reactive and proactive. My belief is that proactive may be the philosophically better choice, but the reactive is the modern-day way of life.
Security has always been the bastard stepchild of the IT world. Nobody wants to spend any money or time on it, but it is the biggest reason why networks fail. It's akin to buying insurance for your network. While some high-end gurus want to come up with methods of protecting networks on a high-level, the folks who are writing virii and spyware are working on new methodologies to counteract the standards. Compare this with the way battles were fought during the American Revolution - the British lined up in neat rows, and some American snipers hid in the surroundings. The British bemoaned the tactics, and were generally unable to understand or cope with the revolutionaries who "didn't fight fairly". The end result was Britain was defeated, and having general proactive security plans will also get defeated because the 'bad' coders don't play by the rules.
What may be a good idea is to train and develop more folks who look for security holes and spyware methods and plug them before they get exploited. Anti-spyware and anti-virus companies could do it, and they could use it as a marketing tool (Our new update protects against the IE URL buffer overflow hack!). Companies like MickeySoft can invest some of that capital they have lying around under their couch cushions to either promote (or buy) and AV company, and it would allow M$ to get exploits identified quicker, and perhaps hush the chatter on how hole-y their software is by fixing those holes before they become public.
So, like the rest of the IT world, I have to go on, day after day, reacting to any new threats that show up on my virtual doorstep. For most admins and security folks, that is their focus. When companies go down for lack of vigilence, their competitors will begin to see the use of having trained folks on-site to watch their backs.
"First things first, but not necessarily in that order."
- Doctor Who
http://shit.slashdot.org/article.pl?sid=04/11/14/1 539250
Most PHBs misunderstand the results of proactive security, mainly because proactivity breeds less tangible results (because the attacks are mitigated before they do any damage). In the case of a successful security breach the damage is seen, counted, and monetary losses to the company are estimated. For example, when a virus hits and the IT guys are scrambling, the monetary losses are itemized and quantified. If the network is secured and nothing happens the IT folks can't claim one way or the other about how much money they just saved the company from reactionary tactics of such an attck, despite how much you may try. Its scary how many people would rather have the "warm-fuzzy" that their money is being used for something they can actual see. I think their thinking process goes a little something like this:
"Phantom security? Bah! Why put up money that may or may not protect us when we can see actually results of the money spent by watching the the workers that have to stay late to disinfect the servers and workstations." Yes its a screwy analogy, but its really that simple in a lot of cases.
"On a scale from 1 to 10, people are stupid"
They could at least stop buffer overflow attacks by using AMD Athlon 64 CPUs ("Enhanced Virus Protection" as marketing says). And cut their electric bill. But noooo, they keep buying the overpriced Intel-based blast furnaces that Dell sells them.
It won't make Windows secure, but it might free up enough time for strategic thinking. Then again, so would doing IT development in-house rather than cleaning up outsourced disasters...
I know that Microsoft isn't Slashdotters' favorite company, but I have to say that I think that Service Pack 2 will help security immensely. As has been said before, most of Windows users are computer illiterate. SP2 gives users an enhanced layer of security (the XP Firewall, for example), and can really help the computer illiterate (that would otherwise be totally unprotected) secure themselves.
- dshaw
[sigh] Why is it always the case that [insert random technical speciality here] has to "learn to speak the language of business users"? Technical language exists for a reason: more precise expression of problems and solutions. If business users can't even "speak the language", how can they express their problems, and more importantly, how can they even begin to understand the issues involved in implementing the solutions to their problems. In fact, if they don't "speak the language" then they're unlikely to understand that security (or whatever other speciality we're talking about) is an issue at all. Which might explain some of the problems we're having these days.
Note that I'm not saying that said business user has to be an expert in the field of security or anything else. But they should be at least conversant with the basic issues involved, and aware of what kind of questions they need to be asking. I have led several design teams involved in developing extremely cross-disciplinary products. I wouldn't claim to be an expert in any of the specific disciplines (otherwise I wouldn't need the team, would I), but I at least made the effort to understand the disciplines well enough that I could "speak the language" and ask the right questions, and make informed decisions based on the answers I got. By the same token, if I was running a business I'd make damn sure that I understood enough of each of the elements of my business (including security if that was an issue) that I could ask good questions, understand the answers, and make decisions based on those answers. How can "business users" make decisions if they don't understand what they're deciding?
End of rant -- thanks, I feel better now...
If you're referring to the story in "The Lancet", the confidence interval was ridiculously wide.
"[The operational level] is the link between strategy and tactics. Action at the operational level aims to give meaning to tactical actions in the context of some larger design that is itself framed by strategy."
Irene KHAAAAAAN!
i think that any system that has serious potential for abuse should go under similar levels of attention to detail: whether it's financial or contains significant personal details.
however, try convincing big business they need to spend the time and effort - unless you've got a heavy-duty regulatory authority like the FDA telling them it's got to be done that way, it won't be.
* Little Rubber Feet
Dear CmdrTaco,
since when is marketing bullshit "news for nerds, stuff that matters"?
"proactive"
"initiative"
"operational"
"tact
"consideration"
"dominate"
"agenda"
"str
"approach"
You, The Editors, have been rejecting story submissions for much smaller sins.
Fight Frist Psoting!
Browse Slashdot with 'Newest First'!
Somebody needs to wake up and realize that these 2 words have very different meanings...