Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Pros Bemoan the Need for Focus

Posted by CmdrTaco on from the thinking-one-step-ahead dept.

Ant writes "Computerworld has an article about more proactive initiatives falling by the wayside. Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection."

7 of 62 comments (clear)

  1. Giving Up by Anonymous Coward · · Score: 5, Interesting


    some people i know are so fed up of the state of internet security ,viruses,trojans,spyware,spam etc that they are actively considering disconnecting their main systems from the internet altogether and only using a dedicated machine for access

    shame that security has got so bad where people are now retreating from public networks, if thats now in 2004 what's it gonna be like in 10-15-20 years from now ? i shudder to think

  2. sounds reasonable to me by digitalsushi · · Score: 4, Interesting

    I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    1. Re:sounds reasonable to me by Spoing · · Score: 3, Interesting
      1. I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...

      Security is tough...though doable. The general idea is to secure your systems well enough so that if a new exploit occurs it is difficult to impossible for the exploit to impact your unpatched systems.

      General tips;

      1. Simplify; run only what you absolutely need on any system. Remember that even simple programs have been exploited in the past so don't fall into the "that's just a harmless ________" trap.
      2. Isolate; don't just keep minimial systems exposed to the internet, keep all systems visible on a 'need to know' basis. If the database server only talks with the intranet web server and the accounting database, make it so only those machines can see the database. If something breaks, or a developer needs access, either change the router or treat the database as a remote resource and have the group use a SSH tunnel.
      3. Automate; whatever can be automated, automate. Keep in mind that updates can break systems in some way, though focused patches tend to be fairly harmless. Have rollbacks enabled so that any dammage can be reversed without resorting to backups. (You do backup everything, right? Nightly incremental backups + occasional full backups.)
      4. Hire me; I'd be glad to charge, er, help you out with this. Reasonable fees and all that.
      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. Is this the right use of the word 'bemoan'? by Dixie_Flatline · · Score: 4, Interesting

    It sounds like security professionals are annoyed that they have to focus on anything. Wouldn't a more accurate headline be

    "Security Professionals Bemoan Lack of Focus"?

    Right now, it just sounds like security pros are whiny babies that don't want to do their jobs.

  4. I call shenanigans by Boss,+Pointy+Haired · · Score: 3, Funny

    "Issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours", said Popinski.

    I think this guy's just pissed that he doesn't have enough time to surf Slashdot at work.

  5. More of a strategic planning process.... by Proudrooster · · Score: 4, Informative

    "What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security.

    In just the first two paragraphs alone I was able to fill up my BULLSH*T BINGO card. Let's see if I can write a useless statements containing lots of buzzwords. What's really needed is a short term strategy with long term synergestic goals that transcend all layers of the organization and implement proactive world-class security. Yep, I still got it.

    Just think, if executives had more of a strageic planning process for the business in general, then US companies might be healthier and stronger, instead of sacrificing the future for short-term profits.

    I guess it is just a slooooow news day.

  6. Security Pros are between a rock and a hard place. by RancidPickle · · Score: 3, Insightful

    The Security Pros are in two camps right now - reactive and proactive. My belief is that proactive may be the philosophically better choice, but the reactive is the modern-day way of life.

    Security has always been the bastard stepchild of the IT world. Nobody wants to spend any money or time on it, but it is the biggest reason why networks fail. It's akin to buying insurance for your network. While some high-end gurus want to come up with methods of protecting networks on a high-level, the folks who are writing virii and spyware are working on new methodologies to counteract the standards. Compare this with the way battles were fought during the American Revolution - the British lined up in neat rows, and some American snipers hid in the surroundings. The British bemoaned the tactics, and were generally unable to understand or cope with the revolutionaries who "didn't fight fairly". The end result was Britain was defeated, and having general proactive security plans will also get defeated because the 'bad' coders don't play by the rules.

    What may be a good idea is to train and develop more folks who look for security holes and spyware methods and plug them before they get exploited. Anti-spyware and anti-virus companies could do it, and they could use it as a marketing tool (Our new update protects against the IE URL buffer overflow hack!). Companies like MickeySoft can invest some of that capital they have lying around under their couch cushions to either promote (or buy) and AV company, and it would allow M$ to get exploits identified quicker, and perhaps hush the chatter on how hole-y their software is by fixing those holes before they become public.

    So, like the rest of the IT world, I have to go on, day after day, reacting to any new threats that show up on my virtual doorstep. For most admins and security folks, that is their focus. When companies go down for lack of vigilence, their competitors will begin to see the use of having trained folks on-site to watch their backs.

    --
    "First things first, but not necessarily in that order."
    - Doctor Who