Slashdot Mirror
Security's Shaky State
Ant writes "According to InformationWeek, Information Technology (I.T.) security professionals say when it comes to security, most I.T. departments are underfunded, understaffed, and underrepresented.
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with."
Funnily enough open source works in this regard.
:-)
I was able to win the battle with corporate security after they sent in the outside security auditors.
Outside audit showed nothing vulnerable (for whatever that's worth)
Inside auditor then came to our office for further (second opinion) audits
Joke is that we were all using the same tools (nessus,nmap,etc) to different effect.
The truth about Led Zep should never be told on
Sigh. I've learned "I don't understand why we need X" is all too often a warning from a superior that continuing to push for X (including by providing the supposedly requested info) may be a career-limiting move. OTOH, if X turns out to have been needed after all, not having gotten it is hard to explain to that same superior.
I've experienced worse. At one company I worked at, I warned of the pitfalls of a particular implementation my boss had been sold on. I was ignored. When the problems I predicted showed up, I was then blamed for creating them.
I quit that job as soon as a chance to move to a reasonably solid company came along...
-JMP
...what is it, when it comes to the 'Securiy Theory of Everything'? What is the Holy Grail of security?
I work as a software engineer for a very large company in the US. After 5 years with limited security and no virus scanning of email, the company network was beat down internally by every virus known to man. The "solution" was a very unfocused initiative. IT did stupid things like block every attachment via email (driving us nuts) while not making antivirus software mandatory. People would just plug a laptop in the network and spread everything they had on it. The IT department should have focused on handling the virus instead on trying to avoid them all together. They will get on the network anyways. Another "smart" thing they did was block access to Windows Update to make installing patches difficult. They had the staff, but not the knowledge and plan. That's more important in my opinion.
gasmonso http://religiousfreaks.com/The problem with unions is that they award only mediocrity. Unions require that high achievers get the same pay as low achievers, even though high achievers easily get 10x as much accomplished - especially in engineering. Unions force out good workers (why work harder if the money is the same), and leave only mediocre and poor workers. That leads to the company falling behind the non-union foriegnors, and the failure of the industry. Seriously, unions are bad news!
Most engineers are highly motivated people, and their pay tends to be directly in line with their achievements - even when the achievements are not directly profitable (Hi Linus!). If you are in a job where this is not true, get a new job! Seriously, I would recommend a startup - in startups your pay tends to be directly related to your contribution to the company, because there is less management to blur it. I have worked in Government, Medium Corp, and Startups, and I will never leave startups again!
while (sig==sig) sig=!sig;
I've had a similar experience. A major Canadian real estate company, which I was NOT IT support for, just the end user, decided to switch from a Unix local hosted solution to a web-based initiative.
Props for looking to the future, major negatives for not thinking out their direction.
I, well before implementation, pointed out that since this was WWW based, and our office connected to the web via an office about a thousand miles away, to connect then to an office about a mile away, casual lunch web surfers would interfere with the bandwidth I needed. I was called asinine.
I suggested a plan to have each office that was using this new system (which worked great when we had the available bandwidth) have an independant ISP, outside of the intranet. Sure, it wasn't cheap, but it would remove the need for eight hours of downtime a day. Did I mention I worked eight hours a day?
Six months later, after billing vast amounts of overtime clearing up backlog via my home DSL connection, the manager I was called asinine by, introduced a plan to resolve the problem. It was my plan, of course. While I should have quit right then, I rode it out, and was eventually fired for not giving a shit, anymore. I should have left first, but is it a surprise I ceased to care?
- nk
Suppose we force companies to pay reasonable damages (no criminal charges or anything unless criminal negligence is provable). Naturally, they can and will get liability insurance to cover this, and the actuaries will determine how much that will cost on the basis of how risky their operation is. Similar to having airbags in your car, companies will qualify for discounts by using known secure systems and hiring competent IT security staff. Software/hardware vendors will be motivated to produce secure products because otherwise they will lose business.
Now, in the end the cost gets pushed out to the consumer anyways; so we end up paying for it one way or another -- either you get identity theft insurance to help you deal with the inevitable breach or you force the companies to get insurance or otherwise take appropriate measures. I think the latter option is more efficient because it attacks the problem at the source. Furthermore, we can make the insurance mandatory -- just like driving a motor vehicle, handling peoples' private information puts the general public at risk.
Whatever happens we can't just let this nonsense continue unchecked. I guess HIPPA, Sarbanes and some other laws are going to start dealing with this, but I have yet to see if those have any respectable teeth. And from what I've heard first hand about some of the new systems going into some not-to-be-named HMOs, I don't have a lot of hope that things will get better.
underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.
The other side of this, is that even when companies do have the budgets for these fancy-schmancy products from uber-repected vendors, it's often the users, and their lack of awareness or education about their role in security that's the weak link.
"Ein Volk, ein Reich, ein Führer." -Adolf Hitler
"We are one Nation, we are one People." -The One 'leader'
I've seen this time and time again - maybe I'm just getting too cynical for my own good ;-).
As far as I can tell, in quite a few companies IT Security staff are only employed as a gesture towards corporate risk management. In other words, as long as the gesture exists there is an apparent legitimate claim that effort was put in to mitigate a risk.
When (not if) the inevitable happens, it doesn't take a rocket scientist to work out whose head will roll. For those who haven't reached their operational caffeine level yet: it's not going to be an executive.
Having said that, I'm glad to come across more and more evidence that quite a few companies at least *DO* get it so maybe there is hope.
Insert
I warned of the pitfalls of a particular implementation my boss had been sold on. I was ignored. When the problems I predicted showed up, I was then blamed for creating them.
There are a lot of career hazards with this one. I unfortunately became the nay-saying manager at a previous international telecom company a few years ago when I'd raise concerns about things like a calling card switch that:
- had a default load of SCO with no patches
- patches were prohibited because "they messed up the calling card software"
- the vendor required telnet access to each system with public IPs
- the vendor never knew where they'd be telnetting from, so ACLs on telnet inbound traffic were prohibited
- clever username schemes were used, like user: root password: root, user: pcm password: pcm and so on
- root telnet logins were required by the vendor because "how else are we to administer the system remotely? we have to have root to do that" (the same vendor told my boss that SSH was "some bulletin board download shareware crap" which they were too good to run as a "big calling card company")
After preparing a twenty page assessment and detail of security modification requirements, I was literally laughed down by the vendor in their meeting with us and the marketing and management execs. Their defense? They had "never heard of these concerns from any other customer and subsequently they were just nitpicking" by someone who must want a different solution. (Yea, we had a great relationship with the corporate marketing buyers who always bought what got them perks and shoved it to operations to figure out how to use. Ask me about the $20 million in Lucent useless trash that was in the room next to mine collecting dust).
My strong objections only made it certain to corporate that I was going to sabatoge the project with their new vendor friend who brought them cool gifts. I learned after this one to get senior-level protection from the CTO or whoever is your executive committee level sponsor before sticking your neck out.
I recall talking with a very experienced, capable security expert who had founded a company (and was CEO). The remark that sticks in my mind was along the lines of, "No one can make much money in this business, because customer executives never buy the security their company needs - they buy the very minimum to avoid being successfully sued for negligence if the shit hits the fan".
I am sure that there are many other solipsists out there.