Slashdot Mirror
Former NSA Honcho Calls Corporate IT Security "Appalling"
Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."
In companies great and small, a long history of appalling lack of and apathy for security. Goes back 30 years. Unfortunately I have to say so anonymously.
Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.
when this guy could have done it long before ?? He is a traitor to the American people !! Turn your backs !!
When military force is authorized against the American people and backed by technical incompetence judicial system in the form of social engineering to back door most every security conscious device/os, then even the super, ultra deluxe, high performance, grand pro NSA hackers resemble Tommy 10 year old script kiddy born of rich family and purchased grades all the way through college now making big decisions that will haunt the people like a really bad case of herpes, kinda like every president's legacy for the last 60 years. Up to bat now: Obamacare. If Obama cared, he would not have promised change, then changed his promise. Bad cop, no doughnut.
You could just improve security, but that's hard. Alternately, you could just have such a shitty IT infrastructure that nothing ever works! This has many advantages! Lower IT costs, for one, and servers that are broken are in fact VERY secure! Very, VERY secure! So if you're in IT, next time someone bitches at you about some resource being down, just say it's "security hardening"!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Posting AC, just because... but one thing people forget... security has zero returns coming back.
Or at least this is what the PHBs believe.
This view tends to ignore the numbers of self-appointed white hats working inside many corporations that are not directly assigned to corp. security, yet take it on themselves to find and fix various 'holes' . . . quietly help out, without being asked or letting anyone know they've even been involved.
All it takes to break in is a hammer and 10 seconds.
Sure, they could put in bullet-proof glass and high-security doors. But those measures are prohibitively expensive for most businesses, and still aren't foolproof.
The same is true with computer security. There are basic precautions businesses should take, like putting all their equipment behind firewalls, for example. That's the equivalent of locking the front door. But security costs money, and makes life more difficult for those with legitimate access. These considerations must be balanced.
How many vulnerable systems are due to PHBs who don't want to listen to explanations that the remote access or network configuration they want is insecure?
The rest due to incompetent web developers who have no clue how to build secure web apps.
The real "Libtards" are the Libertarians!
If as Mr. Clapper posited earlier that the Federal Shutdown endangers the U.S.A. and all citizens including the armed forces overseas to terrorist attack then there is an Executive Decision to be made.
Under Mr. Clapper's premis the President and all members of Congress have by default committed treason and crimes against the U.S.A. and humanity at large.
Their actions warrant immediate arrest, arraignment and indefinite incarceration while awaiting trial.
The person of interest of the US Federal Government to take action and command is ... Mr. Eric Holder, Secretary General of the Justice Department.
Will Mr. Holder have the balls to arrest President Obama and all members of Congress for immediate execution? :)
but corporations, unlike the NSA, generally get their wrists slapped when they attempt to break the Constitution and its amendments.
Circle the wagons and fire inward. Entropy increases without bounds.
Training is the most expensive thing for corps, and colleges/trade schools don't get the job done either. When no body is held accountable for the "boogeyman" on the interwebs stealing your info/cracking your system there's really no point in wasting the resources on training personal to prevent it.
The constitution does not apply to corporations. Go read it. Now it would be logical to conclude that legal entities created, enforced and regulated by the government are an extension of government by run by private parties and therefore they are bound by all the same limitations; but that is not how things are. The government has a history of hiring private corps to do things it can not do and it's only been blocked after long court cases to the 3rd? or was it 4th? party removed. Leaving us open to them circumventing things by going to a 5th party; although, at this point they can just openly break most the rules as long as both parties are good with it (and where it really matters the two parties are functionally the same.)
I've seen normal plate-glass windows on rooms with TOP SECRET data and worse. Sort of unattended even, if you don't count a sleepy unarmed guard in an adjacent building. You could have driven a truck up to the window, done a smash-and-grab, and run off with the goodies. There was at least a very opaque curtain.
Not saying where! Security by obscurity seems to be working.
You are right, but at the same time, there are measures a lot of companies could make that wouldn't cost much money but would improve their security.
Ensuring that input is properly sanitized is one that comes to mind, because I've seen problems with it by people who should have known better. Disabling Java applets by default in browsers is another.
"First they came for the slanderers and i said nothing."
We can be quite sure that the one leak we know about is just the tip of the iceberg.
Banks are still using "secret questions" and claiming that's a kind of two-factor authentication. Someone I know was once told by Citi something to the effect of "well, click on the links in the email, and if it gets you to a site with our logo, then it was from us."
And honestly, social engineering is still a huge and very easy target.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
He's keynoting at a major security vendor conference. Having done so myself, the goal and focus is ALWAYS to spread FUD to sell software and services. This industry survives off of fear mongering. That's not to say there aren't problems, but when you're paid tens/hundreds of thousands of dollars to keynote on behalf of a vendor, you generally have an unwritten agreement to paint the most dramatic picture possible.
NSA You paid company's to install backdoors/exploits you think your the only one who can use them? It's partly your fault.
...security would quickly improve.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
The kind of activities i see from the NSA i would call appalling as well.
Maybe you could get off your fat spook ass and help these companies improve instead of just spying on everyone and making judgements?
Chase those, and you're in a never-ending cycle of reaction because you were so thrilled by the drama of firefighting that you left yourself exposed to the next specific and immediate threat.
Try to cover broad classes of threat, and you'll get some actual preventive value from your expenditures.
In my experience it is more about the managers and CxO's viewing it as a status issue. They are so important that they cannot be hampered by the demands of the lowly IT people. And the same goes for their people.
Security is IT's problem and if something goes wrong then it is the IT people who will be fired. Starting with the ones who were the loudest about there being a problem in the first place.
After all, other companies don't have those problems. So it must be because the IT people are incompetent.
Unfortunately that seems to be the standard approach, leave your machines terribly insecure and just hide them from the internet using firewalls...
As soon as someone gets a tiny foothold behind the firewall, and there are many ways in which they could do so, everything inside is trivially easy to compromise and very poorly monitored.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Given the creator of Windows and US government can, sufficiently compelled, walk into any Windows system that is internet connected at any time they desire what's the frickin' point? Everything else is security theatrics. Do what the old security honcho of MS has done and drop out.
Four letters say it all: EULA. You can sell software that bricks a piece of hardware, and the worst you'll have to do is refund the purchase price. Most of the time, all you have to do is issue a credit, so the customer/sucker gives you more money.
Someone breaks into a server farm and steals credit card info and passwords that are stored in a non-encrypted format? Just send out a warning. It's not like you can get sued or anything.
Big defense contractors are leaking classified information like a sieve. It's so bad that the US President had to whine to the Chinese President about cyber spying industrial espionage. Has any defense contractor lost a contract or been fined for these screw ups? Of course not.
Heck, there were images this week from an exposition of Chinese built unmanned aircraft in Beijing, and they had a Predator drone! Not just a look alike, it had the same mounting for the optical sensor pod on the bulging nose, chines, V-tail, etc. It would be completely unsurprised if they stole the plans. Apparently they have the plans for all our major weapons systems. It save then vast effort in R&D, and they can build counter measures that they know will work. If there were any fines or actions against any corporations it was not reported anywhere.
So given that there's no down side to committing corporate software fraud, why is anyone surprised that security is a complete joke.
Why is Snark Required?
I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.
The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.
Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.
But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:
Critical Control 1: Unity of Vision
Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?
Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:
Critical Control 3: Enable a Better Future
This control assumes that our actions affect the future. Do your actions enable a more secure future?
The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?
...Cackles Maniacally And Rubs Hands With Glee.
systemd is Roko's Basilisk.
Security done right improves profit. How? Because you go over a functional model of your IT systems as well, to find flaws in the logic that can be abused. You find bugs that cost you money and you get those solved. Research has proven that you can actually more than get back the cost of spending money on good security and turn a profit by having less bugs and flaws in your systems. This does not apply to token efforts and buzz ware, but there's a way to do this properly.
I was promised a flying car. Where is my flying car?
So if Snowden can get at the NSA and the NSA calls companies weak, imagine how bad those companies actually are....
I was promised a flying car. Where is my flying car?
He is also a guy selling security stuff.
Clearly what's needed is an "Internet Czar" -- a top level cabinet post with, say, 50,000 new civil service positions (job creation). Have one person on the Big Red Switch to shut it all down if the GOP asks any questions about budget and appropriations.
Is this the same company that employed Edward Snowden as a sysadmin, allowed him to elevate his authority and then download documents that he was not supposed to... So Prescott Winter was CTO and was finally responsible for internal IT security. Talk about a pot calling a kettle.....
Generally that's required because security is not considered at all by the vast majority of commercial software developers - so if you want to use their stuff it comes with all kinds of stupid open ports and nothing to stop the 1960s exploit of buffer overflows once something starts sending bytes into those ports. Some stuff on MS Windows still needs to be run as "Administrator" when there is no real reason it should.
And who's fault is that? Geeze who could have expected undermining security would undermine security!
Frankly given all the revelations about NSA spying the biggest threat to security is clearly the government itself, but what will inevitably come out of public figures saying stuff like this is an attempt to regulate PRIVATE IT infrustrucute, which we know the NSA will use to Blackdoor us all.
This is why we need to not give the FEDs the microphone. We should continue to disinvite them from conferences and trade shows. We all need to stop going to infra guard and stop taking NIST seriously. Write you congress person tell them these guys are untrust worthly and rather than listen to the. Please please defund them.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Who would have thought?
Aside from everyone working in IT security. Or everyone working in IT. Or everyone with 3 working brain cells. So, basically, everyone except middle management.
What I've seen in IT security in most companies is pretty pathetic. They would fall to the first dedicated attacker. And, indeed, reports like the yearly Verizon report show that they do.
But here's the catch: A company is by definition an entity that exists for the sole purpose of making money. As long as the damage from security incidents is lower than the cost to reduce them, it is actually the correct business decision to not improve security. If you view security without risk management, you are a fanatic.
Assorted stuff I do sometimes: Lemuria.org
These considerations must be balanced.
The problem is that they usually aren't. There is a lot of office politics that usually means that the higher up the hierarchy you are, the less secure your computer is going to be. One company I worked for made a company-wide security check and found a number of open, unsecured dial-in modems attached to phone lines on the one side and desktop computers on the corporate network on the other. All but one of them belonged to managers.
Assorted stuff I do sometimes: Lemuria.org
You mean like using body scanners to detect 'terrorists'?
Like the TSA being tasked to scare terrorists away from interstate highways?
Doesn't the NSA and FBI buy the very same malware.
Unless it is ruled by HIPA, data in the US belongs to the company (and the NSA). A company can construct as little security as they like. The fact their data is also my credit card number isn't their problem. If a credit card is stolen, the card-holder and some other hapless merchant pays the bill. Besides, the clean-up cost after the break-in is unavoidable. So they won't waste money with top-notch security that will be out of date in a month or the NSA will complain about.
TL;DR: Agency that demands open-door access is horrified their enemies have access too.
. . . .who want exceptions carved out, just for them.
Like the C-level people who "need" Facebook and Twitter.
Like the General Counsel who don't want to use the document check-in/check-out system, and THEN complain about losing files.
I could go on, but I'm sure the vast majority of us have had to deal with similar issues. . .
No one WANTS to do security. It doesn't advance anyone's career. On the other hand government is terrible at it too because all it ever wants to do is spend years writing another 2,600 page NIST standard no one can follow.
By "specific and immediate threats", I suppose he means the NSA itself?
Thats a self perpetuating problem... So long as buyers don't reject such software, developers will continue to produce it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I work for a medium sized financial institution and the level of security is off the charts to the point where you can be fired from walking away from your workstation without first locking it. No computer that is connected or ever has been or will be connected to our internal network is allowed on the internet or to have a flash drive / CD put into it except by approved IT workers (the ports and drives are disabled too).
I can't think of anyone I know who would ever claim their environment was secure, whether I've worked Wall Street, health insurance, defense contractors or any other type of organization that might be typically portrayed as secure. All of these environments have professionals, and all of them are painfully aware of the holes in the system and would fix them if they had the resources. The hard reality is that security costs money and good security costs even more money. Security also has a habit of impeding functionality and in today's environment, this is considered a big deal.
Security is really all about risk management and balancing any given risk against it's likelihood, cost of cleanup and cost of prevention. You can white-list every website your staff are allowed to visit on the Internet and dramatically reduce the number of infected machines, but the cost in terms of staffing, employee morale and retention would be quite high. You can put man traps at every door in your facility, however it would be a foolish waste of money and irritation in 99% of use cases.
Like it or not security is often tied directly to regulatory and compliance requirements. Those environments that have some sort of regulatory and compliance requirement are typically far more secure than those that don't. If you want improved security for the country (wherever your country is) you have to start with regulations and compliance requirements that force companies to institute it to begin with. It's claimed that cybercrime costs $100 billion in the US and $400 billion per year.
Want better security? Get companies to realize that have poor security costs more money than good security.
I call bullshit. There's just no way that I'm willing to accept, prima facie, that 7 out of 10 of your employers tried to actively and illegally hack external accounts and services. Bullcrap!
Any company that is not monitoring their employee's activities, all activities actually, is not taking security seriously. All activity on my network is monitored, logged, and recorded for at least a brief period. Automated systems, intended for information leak prevention, do man-in-the-middle SSL snooping. We can't have some schmuck emailing out people's identities to be sold on the black market, nor can we have proprietary company data emailed to home accounts for use when the employee jumps ship to our competitor. But, it's automated blocking. Credit card number detected, blocked. Company database contents detected, blocked.
Your company is not trying to hack or brute force your external servers. Yer fulla crap!
The bigger the company, more likely it is to be run by accountants. And they hate paying top dollar for computer geeks.
I work for a F500 right now and when I tried to bring up my own concerns with the security measures I was told to implement, I was met with blank stares, followed by, "So, how long will it take for you to [implement the flawed measures]?"
Because I don't care, I am moving forward with implementing the flawed measures. God help them if a real hacker wants to pwn them and appropriate their data.
This is why we need a PE for Computer Engineering. People with professionalism would not allow those issue to happen. The consumer isn't the expert, they rely on experts.
The industry need to grow up.
The Kruger Dunning explains most post on
I've gone through the same stupid shit with Fidelity who continues to push me to setup "secret" questions even though my account is setup to require both a password and the code from a security hard token. So while I currently have real two-factor security they try harder and harder (even temporarily locking out access to my account) to make me compromise my account's security by allowing "secret" questions to bypass the security token.
Grr.
If you work in corporate IT, I'm confident that this story will sound familiar. You know all the tricks, all the ways to secure your network, all the practises necessary to maintain a basic level of security for your company. And they don't even seem that hard to implement. And then you run into the three biggest obstacles. Management, budget, and users.
Case in point, yesterday I had one of my users complain that they kept having to put in their password to open their email client. I reminded her that she did not want her password stored, and she agreed, but argued that she should not have to put it in every time.
Naturally, I have encouraged users not to allow their programs to save their passwords, even though management does not allow me (in nonspecific terms, not specific ones) to completely forbid it. All it takes is a basic complaint from a user and I get an earful from my boss about how I'm making it "harder for them to get their work done" with no room to change his mind.
If this is a problem, you can imagine how difficult it would be to roll out encryption across the company for email, for example. In fact, yesterday I seem to have finally convinced one of our users that not only should she lock or log off her computer when she leaves her desk, but that she shouldn't give everyone who asks for it her password so they can use her computer. We'll see if that one sticks.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
(In regards to physical security) We just installed fancy pants finger print readers and timer locks. HR was the dept driving this project and we found out about it when the install people showed up saying "where's the database server we're going to use?" Management looked at us as though we were speaking Klingon when we asked if they were going to do anything about the glass wall/windows right next to the doors. You can still pop the lock by sliding something like a credit card or drivers license between the lock and the door frame. I find myself wondering if measures similar to what my company did are being done as a window dressing. It's like the big scary barking dog in someone's yard. The owner knows that the dog will in fact just hide under the bed if someone breaks in so they're banking on an outsider not willing to gamble that. Perhaps companies like mine are doing that to give off the perception of uber security to deter the majority of criminals.
Wasn't it just last year that SONY kept gettin' hacked for stupid security? And they weren't the only ones. Just a couple years ago, PC Pro had an article called "Is This The Golden Age of Hacking?". Last year, Ars Technica had an article "Why passwords have never been weaker—and crackers have never been stronger". The state of security on the internet is appalling & that was well known before Snowden woke people up with more facts about the appalling nature of internet security.
Yawn, security consultant says big companies need to hire security consultants. How is this news?
Of course, anyone worth a damn in security knows this...though "anyone worth a damn" culls off at LEAST half the people working in security today. Almost no one has their shit together. There are several major factors I see...
- Lack of understanding and buy in from senior management: Without their buy in nothing will get done. Security touches all aspects of the business and the majority of it is not implemented by the security department itself. Security isn't an appliance you can buy, it's a way of designing and doing things. It's having policies, procedures, and processes in place. It's holding people accountable for doing their jobs PROPERLY, not just keeping the lights on. Its a way for your IT organization to function...not a department which "takes care of security".
- Incompetence within the business: Most IT people really aren't particularly competent. I always wondered when I was in college, "what are all these nincompoops who pass the classes but don't actually understand anything going to do?" The answer is that they will get mid-level jobs in IT and fuck everything up. If you're a sys admin and never patch your systems? You're incompetent. If you're a sys admin and don't know anything about restricting privileges on your system? You're incompetent. If you're responsible for a product and allow it to get to the point where you're on unsupported OSes or, worse, using software written by a company that's out of business? You're incompetent. These people are not doing their jobs, and their management is not doing their jobs by not making basic maintenance practices part of their performance goals.
- Lack of/Broken Processes: When you have processes in place, it dramatically increases the likelihood that things will get done properly. When you allow your environment to run wild and everyone to do whatever they want, things get out of control and you run into major problems. You also waste money not only trying to fix security, but also within the IT infrastructure itself. Security can actually save an organization money sometimes.
- Lack of proper reporting structure: Security should never be part of the IT organization. Never. Security should also not be doing operations work. The department should be an internal audit/advisory group and the responsibility for implementation should lie outside the department. Security almost never controls the systems they audit anyway, so it makes no sense to make them responsible for the state of those systems. Nevertheless, bad managers will try to make them responsible and punish them for not getting things which are completely outside their control done.
- Lack of talent: Try to hire a decent security person. There aren't many out there and there are few managers which even recognize a good security person when they see one.
Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck.
While you are correct about the costs and effort, the cold hard calculus is whether the costs outweigh the benefits. Just because better security can be done it doesn't always follow that it should be done. For companies that deal with sensitive customer information or sensitive trade secrets there is no question the costs *should* be made to be quite high for bad security if they aren't already. (unfortunately too often they are not) Security is highly similar to insurance. You want enough to ensure that you or your customers aren't bankrupted if there is a problem but there is no point in paying for more than you actually need. There are two questions you have to answer. First, what level of risk are you willing to live with? Second, what constitutes "adequate" security for your needs? The first question is probably easier to answer than the second.
I'll use my company as an example. Almost nothing we do requires substantially better security than you would use to secure your personal bank account and computer files. We have adequate insurance to guard against the risks we are most likely to face (theft, fraud, property damage, liability, etc) and the customer data we deal in generally is not particularly sensitive. When it is sensitive we have measures in place to deal with that to a reasonable degree. We could spend a lot more money on security but quite frankly it really would provide little/no measurable benefits to us or to our customers. Could a diligent individual penetrate our security measures? Sure. Could they benefit from doing so? Not much. Would our customers be hurt? Very unlikely. Would the severity of security breach cost us or our customers more than the cost of the extra security? Not that we can tell. So I ask you should we put a lot of money and effort into extra security despite knowing that there is unlikely to be any tangible benefit in doing so?
The sad thing is, in the enterprise, they do spend the money and they do hamstring the employees with crazy security procedures. The problem is they DON'T actually manage to secure anything.
It's all like the security at Burns' nuclear plant. A series of convoluted Maxwell Smart like procedures to get into the heavily secured control room that is secured by a torn and unlatched screen door on the other side. But it is 'secure' because using the screen door is a violation of corporate policy and that's a firing offense.
It's worse than that. if you even mention security when selling an app their eyes glaze over. Then they buy the totally insecure piece of garbage app that costs $1 less.
Most employers now routinely expect that employees will be paying attention to and responding within the hour to work email at almost all times of all days.
Citation needed. (the article you cited does not support this claim)
Americans work about 10% overtime, completely unpaid, doing this.
Overtime is never (legally) unpaid. If you are salaried there effectively is no such thing as a 40 hour work week and thus there is no such thing as overtime. If you are paid hourly it is required by law that you be paid for any time worked and not doing so can result in some serious consequences.
As much as we all know that corporate IT security is impotent, anything that comes out of the Chertoff group is 100% FUD with the intent to concentrate control over the internet and private corporate networks to the Government which would undoubtedly contract it out to... The Chertoff Group.
What else is the Chertoff Group famous for? Millimeter wave scanners at airports and all the FUD surrounding that program.
Chertoff profits every time the government and public has a knee jerk reaction to some ambiguous threat that his group invents. Did we forget that this is the same guy who always insists that were in a Cyber War and the government needs control over your private networks to prevent the terrorists from doing damage?
Check out some of this guys other work:
http://it.slashdot.org/story/11/02/19/232226/industry-it-security-certification-proposed http://politics.slashdot.org/story/10/10/14/2130246/chertoff-advocates-cyber-cold-war http://yro.slashdot.org/story/10/01/05/1538225/can-imaging-technologies-save-us-from-terrorists http://yro.slashdot.org/story/08/04/13/1830202/us-to-employ-overhead-spying-domestically http://it.slashdot.org/story/07/08/11/1734252/dhs-plans-changes-in-air-passenger-screening
Security is hard. Security is expensive. Security does not improve profits
You forgot that the cost of extra security can easily be higher than the benefit provided. Should I add security for a risk for which I am adequately insured even if the cost of the security would be higher than the cost of the insurance? Security is almost always a tradeoff against operational efficiency and cost. Are you SURE you know where the optimal balance between the two is and have done the math to prove it? (If you say yes I'm going to call you a liar) I don't think I've ever seen an IT manager do a proper cost/benefit (including but not limited to financial) of adding additional security.
Too often security gets foolishly overlooked and underfunded. Other times security can be overkill for the value of what is being guarded. The difficult bit is knowing where the difference between the two lies. If you want to get more funding for security then make a business case for it. It's not as hard as you think.
FTFS:
Companies large enough to afford good security remain vulnerable to hackers, malware and criminals..."
You mean, like the NSA?
"...because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats..."
You mean, like the NSA?
'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said.
The same companies, among others, that the NSA and FBI and whatever other government agencies routinely bully into giving up security, or else? If government is going to buttfuck you for having good security, why bother?
During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO.
So, all this coming from someone who helped create the self-same deplorable situation he's crying about? This is as ironic as some asshole going around breaking into homes, attacking people while they sleep and raping them, and then complaining when someone breaks into his home and sodomizes him with a baseball bat.
Life, ultimately, boils down to the Four Fs: Fighting, Fleeing, Feeding, and Mating.
There is no such thing as security. Only mitigation of risk to an acceptable level.
The second thing to keep in mind is that, in these corporations, all goals are skewed towards short term performance and the executives milking out as much cash for themselves as possible.
If putting off the investment in security this year gets them a bonus this year then who cares what happens next year?
Ensuring that input is properly sanitized is one that comes to mind, because I've seen problems with it by people who should have known better.
Uh, how exactly do you propose doing that on every internal application used by the company - 99% of which have no source available? Do you think that the software that runs the robots on your manufacturing line properly sanitizes input?
All a hacker needs to do is break into some server running insecure "enterprise" software and then log all the passwords entered on it.
Thats a self perpetuating problem... So long as buyers don't reject such software, developers will continue to produce it.
IT Security has almost no impact on purchasing decisions. Most businesses aren't going to say, "well, looks like the vendor who makes this great piece of measuring equipment writes software that is easy to use, effective, and insecure - so we'll just decide not to buy it and let our competitors make the breakthroughs in that domain." Likewise when they spend $400k on the piece of equipment and IT comes along in 3 years to tell them they need to throw it away because the OS is no longer supported and the vendor has no upgrade available without buying a new instrument, guess what they'll say?
Security done right improves profit.
Not necessarily. Sometimes it is cheaper to just insure a problem than to improve security. Sometimes the security costs more than the loss that would be incurred by not worrying about it. Sometimes you are correct and adjusting or adding security measures is economically sensible. Not all security problems are created equal and not all of them can be economically mitigated by adding more/better security.
Research has proven that you can actually more than get back the cost of spending money on good security and turn a profit by having less bugs and flaws in your systems.
Sometimes true. Sometime not true. It depends on the risks you face and the cost of mitigating them. It is not as simple as more security = better ROI in all cases.
I actually propose you learn how to read and think better. Do it.
"First they came for the slanderers and i said nothing."
Until IT staff have the same power and ability to lean back on a state license like an engineer or architect and say "no" to dangerous, illegal, or just plain stupid demands from end user, management, and shareholders, this will not change.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Let's be honest here.... Even ignoring the fact that it's a former NSA character passing along this supposed fact that corporate security is abysmally poor? (Just a couple stories above this one on Slashdot today, we see where the FBI is forcing companies to either hand over access to the root SSL certificate they use or shut the entire business down, and generally doing so with "secret" court orders. How do good security solutions work if govt. agencies can bully places into handing over the keys?)
The fact is, most security analysts I see hired by big businesses are paid to be the "fall guy" when something major goes wrong. Nobody can really guarantee they've succeeded in security an internet connected site from attackers. I mean, even if the analyst made NO mistakes and didn't miss a single thing (and that's not exactly human nature) - he or she didn't design all of the corporate firewalls from scratch. The (typically Asian) manufacturer may have inserted a back door at the chipset level. He/she can't be sure there aren't software vulnerabilities in the wild that aren't published or documented officially. He/she can never tell when another employee or contractor, trusted with certain passwords, decides to share them.
I think in most situations, setting up all of the basics with "best practices" (you know... actually HAVING a firewall in place that blocks incoming connections on all ports except the ones you designate as needed for things, not using default passwords for any of your gear or databases, doing all the security patches and updates as they're released, etc.) puts you in a reasonably good situation, security-wise. Your regular I.T. staff can handle all of that, without paying for a specialist.
Beyond that, you're paying for people with a lot of textbook knowledge and usually a certain amount of arrogance, who wind up implementing rules that hinder everyone's ability to get daily work done. This leads to lower morale and MORE risk of employees bypassing security protocols out of resentment. So where's the real benefit in paying inflated salaries for all of this? You have a specific name to pin things on if it goes horribly wrong.....
They don't beef up security because you always have to build the costs security into your initial business plan, usually by paying extra for an endorsement in your insurance policy. In fact, even if you *have* strong security you *still* have to do this.
At least this is what happens if you're European. Americans have so thoroughly gutted their class action laws that most sectors don't have to spend money on this if they don't want to. And you don't even *have* privacy laws. So what's the point of spending extra money on hardening if you still have to shell out 10k on the policy? The worst that happens is the company is the victim of IP theft *without knowing it was ever targeted,* thereby enabling a Chinese company to beat it to the IP Office.
Meanwhile, insurers are smart enough to defray any truly severe costs with various reinsurance policies. Unless computer security issues get as bad as the NSA officials say they will -- and all research indicates that they've been lying about everything from the get-go -- those of us who work in reinsurance just make money on it.
FWIW, those of us in reinsurance are currently shitting our pants over climate change. Security? Not even a blip on the horizon.
These considerations must be balanced.
The problem is that they usually aren't.
Not very likely - if they actually bothered considering software security - ms windows would be the first to go. Or if it stays somehow, you definitely loose outlook+office. Security is interesting, and there are good alternatives to the above mentioned products. But so many people just don't want such considerations . . .
Take this with a grain of salt. After all, this was the keynote speech at Splunk's 2013 Conference, and Winter's solution is embracing big data, which just happens to be Splunk's market. I was at last year's conference, and there was a vaguely detectable reality distortion effect during the keynote speeches - the usual preaching-to-the-converted you tend to get at this type of event.
Don't get me wrong, Splunk is a great tool for security. But this smacks of an advert disguised as news.
Splunk's licensing is very expensive. It's the usual trade-off of $$ vs security.
It gripped her hand gently. 'Regret is for humans,' it said.
Funny how the most secure organization in the world let Snowden just walk out the door with everything on a flash drive.
Clueless hypocrite.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
"It would be completely unsurprised if they stole the plans."
who is 'it'? your transexual mother?
hahaha captcha = "woeful", like ur engrish d00d
To start: firewall zone on Internet, firewall zone for critical servers, firewall zone for lesser servers, firewall zone for executive computers, firewall zone for freelance ethernet and wifi, then intrusion software monitoring all. Application firewall on all computers (for e.g. ESET Smart Security).
The fact that someone was able to access and get out of the NSA systems the range of data that Snowden was apparently able to do was a demonstration of a dramatic failure in security compartmentalization in the NSA. For an ultra-high security setup, the systems administrator needs to have file access to move stuff around, but should not have data access to the internals of the databases. The content people -- analysts and the like -- need to have secure db access to those projects and that data appropriate to their roles, but should not have direct copy access to the files. It sounds like this guy Winter talking about abysmal corporate security would have had a hand in setting up those failed NSA systems. So, is Winter out there talking about how companies should not do as he did?
Speak any English? Or just Chinese?
I actually propose you learn how to read and think better. Do it.
Have anything constructive to contribute?
Most of the security flaws are in internally-facing applications. How do you propose sanitizing input on those, considering most are not open-source? Selecting vendors for security means not selecting them for other attributes, like business value.
This is a bigger problem than "just taking security seriously" which is why it is such a big problem.
It's not clear to me that you aren't a retarded troll, but a lot of companies write some of their own software. Why do you have trouble thinking of these kinds of things?
"First they came for the slanderers and i said nothing."
It's not clear to me that you aren't a retarded troll, but a lot of companies write some of their own software. Why do you have trouble thinking of these kinds of things?
Obviously when companies write their own software they can sanitize their inputs.
Well, if they can be bothered to hire competent developers. Since the incompetent ones cost a lot less...