Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Failure of Information Security

Posted by ryuzaki0 on from the everyone-is-happy-until-something-breaks dept.

Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."

5 of 172 comments (clear)

  1. Failure of security professionals? by Whiney+Mac+Fanboy · · Score: 5, Insightful
    "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
    Bollocks - this implies that there's more security professionals could do, but they choose not to, to drum up business.

    The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)

    The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?

    Furhtermore, the list of data losses
    Credit Card Breach Exposes 40 Million Accounts
    Bank Of America Loses A Million Customer Records
    Pentagon Hacker Compromises Personal Data
    Online Attack Puts 1.4 Million Records At Risk
    Hacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time'
    Laptop Theft Puts Data Of 98,000 At Risk
    Medical Group: Data On 185,000 People Stolen
    Hackers Grab LexisNexis Info on 32000 People
    ChoicePoint Data Theft Widens To 145,000 People
    PIN Scandal 'Worst Hack Ever'; Citibank Only The Start
    ID Theft Hit 3.6 Million In U.S.
    Georgia Technology Authority Hack Exposes Confidential Information of 570,000 Members
    Scammers Access Data On 35,000 Californians
    Payroll Firm Pulls Web Services Citing Data Leak
    Hacker Steals Air Force Officers' Personal Information
    Undisclosed Number of Verizon Employees at Risk of Identity Theft
    can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.

    The story makes some good points, but blames the wrong people.
    --
    There are shills on slashdot. Apparently, I'm one of them.
    1. Re:Failure of security professionals? by Bacon+Bits · · Score: 5, Insightful
      I don't think that's what he saying. That is, users are not to blame. The decision makers are.

      Let's say, as an IS professional, you explain to managment the need to restrict user accounts with Administrator rights, the need to implement an intrusion detection device, the need to eliminate spam, the need to make the network infrastructure fault tolerant, the need to update the antivirus client to something that can detect modern threats, and the need to educate users on how to operate their systems securely. Management denies budgeting these things on the basis that they are not necessary, and would you please increase maximum mailbox size again?

      If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.

      --
      The road to tyranny has always been paved with claims of necessity.
  2. This makes no sense by Mr_Tulip · · Score: 5, Insightful
    As someone who is responsible in part for network security where I work, I would disagree that we are not doing 'enough'.

    The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.

    To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.

    The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.

  3. Ignorance Is Bliss? by LanMan04 · · Score: 5, Insightful

    If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.

    To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.

    Is this little traffic light on your router blinking 24/7? :)

    --
    With the first link, the chain is forged.
  4. The elephant in the room by stinky+wizzleteats · · Score: 5, Insightful

    If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.

    When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.

    In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.

    The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?