Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Pros Bemoan the Need for Focus

Posted by CmdrTaco on from the thinking-one-step-ahead dept.

Ant writes "Computerworld has an article about more proactive initiatives falling by the wayside. Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection."

16 of 62 comments (clear)

  1. Giving Up by Anonymous Coward · · Score: 5, Interesting


    some people i know are so fed up of the state of internet security ,viruses,trojans,spyware,spam etc that they are actively considering disconnecting their main systems from the internet altogether and only using a dedicated machine for access

    shame that security has got so bad where people are now retreating from public networks, if thats now in 2004 what's it gonna be like in 10-15-20 years from now ? i shudder to think

    1. Re:Giving Up by digitalsushi · · Score: 2, Interesting

      I'd have to ask why a company's main systems are online at all. I was disturbed to learn my bank's accounting system is online. Why should it be? I asked them. They said they didn't need it to be, it was just that they have only one network. Oh, good.

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    2. Re:Giving Up by phillymjs · · Score: 2, Interesting

      things will get better or we will be living in a non Microsoft world.

      I think you misspelled "and."

      ~Philly

    3. Re:Giving Up by mordors9 · · Score: 2, Interesting

      You can't really blame them for giving up. Lawsuits are going to get worse against companies that get hacked and private information gets out on the internet. It also seems like the nature on people on the internet has changed. It used to be that most of the geeky types that tried to hack a box, did it just for fun. We would get in just to see if we could, then maybe leave a note to the Sysop that his system was open. Oftentimes he didn't change anything because he didn't care as long as no one screwed anything up. Now it is all different. There are thousands of script kiddies using scripted tools to hack a box or making slight alterations in virus source code, so they think they are the next phenom. At the same time companies don't want to spend the money to hire competent people to administrate their networks and systems. They apparently think it is cheaper to just retreat from the internet.

  2. sounds reasonable to me by digitalsushi · · Score: 4, Interesting

    I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    1. Re:sounds reasonable to me by Spoing · · Score: 3, Interesting
      1. I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...

      Security is tough...though doable. The general idea is to secure your systems well enough so that if a new exploit occurs it is difficult to impossible for the exploit to impact your unpatched systems.

      General tips;

      1. Simplify; run only what you absolutely need on any system. Remember that even simple programs have been exploited in the past so don't fall into the "that's just a harmless ________" trap.
      2. Isolate; don't just keep minimial systems exposed to the internet, keep all systems visible on a 'need to know' basis. If the database server only talks with the intranet web server and the accounting database, make it so only those machines can see the database. If something breaks, or a developer needs access, either change the router or treat the database as a remote resource and have the group use a SSH tunnel.
      3. Automate; whatever can be automated, automate. Keep in mind that updates can break systems in some way, though focused patches tend to be fairly harmless. Have rollbacks enabled so that any dammage can be reversed without resorting to backups. (You do backup everything, right? Nightly incremental backups + occasional full backups.)
      4. Hire me; I'd be glad to charge, er, help you out with this. Reasonable fees and all that.
      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. Is this the right use of the word 'bemoan'? by Dixie_Flatline · · Score: 4, Interesting

    It sounds like security professionals are annoyed that they have to focus on anything. Wouldn't a more accurate headline be

    "Security Professionals Bemoan Lack of Focus"?

    Right now, it just sounds like security pros are whiny babies that don't want to do their jobs.

    1. Re:Is this the right use of the word 'bemoan'? by Tom · · Score: 2, Informative

      Right now, it just sounds like security pros are whiny babies that don't want to do their jobs.

      As security professional, the fact of the matter is that more often than not the company doesn't let me do my job. Cost isn't even the main issue - understanding is.

      If you think about moving into the security area, realize one thing: Half of your time will be spent convincing management that the other half is really necessary, and two thirds of that other half are dealing with either decade old issues (no encryption, weak passwords, not updated machines) or user stupidity (sharing passwords, disabling security features, not following procedure).

      The sixth or so that's left is pretty thrilling, though.

      --
      Assorted stuff I do sometimes: Lemuria.org
  4. I call shenanigans by Boss,+Pointy+Haired · · Score: 3, Funny

    "Issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours", said Popinski.

    I think this guy's just pissed that he doesn't have enough time to surf Slashdot at work.

  5. Java WebStart apps - free from viruses/spyware by MarkSwanson · · Score: 2, Interesting
    The Java Web Start sandbox environment may be a bit too limited for some applications, but it is secure and more applications are being written for it all the time. Sun is also improving it with every release. In this environment you don't have to trust the code, or the software vendor wrt manipulating your hard drive, network interfaces, keyboard, or even the clipboard.

    For more secure Java Web Start info: http://www.scheduleworld.com/itsYourLife.html

    --
    Schedule your world with ScheduleWorld.com http://www.ScheduleWorld.com/ (Java Web Startable)
  6. A serious issue... by beaststwo · · Score: 2, Insightful
    I've been working with medical research organizations that are having to deal with 21 CFR Part 11 restrictions on restricting access and ensuring data integrity as part of the FDA process for clinical trials. It is a much more strategic approach than the traditional "patch and fix" approach taken by other IT organizations I work with.

    When I first saw the FDA requirements, I was horrified, but after thinking about it a while, I started wondering why al systems don't take this kind of approach.

    It comes back to the old "when you're up to your ass in alligators..." problem. If you can deal with some issues on a more strategic level, you can try to design many of the day-to-day problems out of the system, allowing sysadmins to spend less time fixing the same problem over and over again.

  7. More of a strategic planning process.... by Proudrooster · · Score: 4, Informative

    "What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security.

    In just the first two paragraphs alone I was able to fill up my BULLSH*T BINGO card. Let's see if I can write a useless statements containing lots of buzzwords. What's really needed is a short term strategy with long term synergestic goals that transcend all layers of the organization and implement proactive world-class security. Yep, I still got it.

    Just think, if executives had more of a strageic planning process for the business in general, then US companies might be healthier and stronger, instead of sacrificing the future for short-term profits.

    I guess it is just a slooooow news day.

    1. Re:More of a strategic planning process.... by eyepeepackets · · Score: 2, Insightful

      "sacrificing the future for short-term profits"

      But, but...that is the strategy.

      Dude, I'd give you a free clue but you have to be able to hold it first. *bonk*

      --
      Everything in the Universe sucks: It's the law!
  8. Security Pros are between a rock and a hard place. by RancidPickle · · Score: 3, Insightful

    The Security Pros are in two camps right now - reactive and proactive. My belief is that proactive may be the philosophically better choice, but the reactive is the modern-day way of life.

    Security has always been the bastard stepchild of the IT world. Nobody wants to spend any money or time on it, but it is the biggest reason why networks fail. It's akin to buying insurance for your network. While some high-end gurus want to come up with methods of protecting networks on a high-level, the folks who are writing virii and spyware are working on new methodologies to counteract the standards. Compare this with the way battles were fought during the American Revolution - the British lined up in neat rows, and some American snipers hid in the surroundings. The British bemoaned the tactics, and were generally unable to understand or cope with the revolutionaries who "didn't fight fairly". The end result was Britain was defeated, and having general proactive security plans will also get defeated because the 'bad' coders don't play by the rules.

    What may be a good idea is to train and develop more folks who look for security holes and spyware methods and plug them before they get exploited. Anti-spyware and anti-virus companies could do it, and they could use it as a marketing tool (Our new update protects against the IE URL buffer overflow hack!). Companies like MickeySoft can invest some of that capital they have lying around under their couch cushions to either promote (or buy) and AV company, and it would allow M$ to get exploits identified quicker, and perhaps hush the chatter on how hole-y their software is by fixing those holes before they become public.

    So, like the rest of the IT world, I have to go on, day after day, reacting to any new threats that show up on my virtual doorstep. For most admins and security folks, that is their focus. When companies go down for lack of vigilence, their competitors will begin to see the use of having trained folks on-site to watch their backs.

    --
    "First things first, but not necessarily in that order."
    - Doctor Who
  9. Then start buying AMD Athlon 64's! by Brian+Stretch · · Score: 2, Interesting

    They could at least stop buffer overflow attacks by using AMD Athlon 64 CPUs ("Enhanced Virus Protection" as marketing says). And cut their electric bill. But noooo, they keep buying the overpriced Intel-based blast furnaces that Dell sells them.

    It won't make Windows secure, but it might free up enough time for strategic thinking. Then again, so would doing IT development in-house rather than cleaning up outsourced disasters...

  10. Service Pack 2? by dshaw858 · · Score: 2, Interesting

    I know that Microsoft isn't Slashdotters' favorite company, but I have to say that I think that Service Pack 2 will help security immensely. As has been said before, most of Windows users are computer illiterate. SP2 gives users an enhanced layer of security (the XP Firewall, for example), and can really help the computer illiterate (that would otherwise be totally unprotected) secure themselves.

    - dshaw