Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com)

Posted by BeauHD on from the leaked-recordings dept.

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

9 of 85 comments (clear)

  1. Hacked by geekymachoman · · Score: 5, Interesting

    Well, considering their 1.2 billion people DB hasn't leaked .. I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

    1. Re:Hacked by Opportunist · · Score: 4, Interesting

      Well, if you run your network like a college campus, you probably wouldn't know if you're being hacked.

      So ... let's put it that way, when you're blind, you can't see the elephant standing in front of you as long as he doesn't step on your foot.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Hacked by Anonymous Coward · · Score: 4, Interesting

      OR, if you're running a college campus network, you assume it's the worst combination of raw internet and bored / mischievous students; so the network itself you treat as untrustworthy and build better systems on top. You assume constant hacking so you build systems tough rather than complacently relying on 'defense contractor firewalls'.

      Let's hope that's what's happening.

    3. Re:Hacked by skids · · Score: 3, Interesting

      Pretty much... I've had to evaluate security solutions hailing from the corporate sector for application in .edu, and I have to say so many of them put a disturbing amount of trust on their abilty to lock down the client OSes. Now this makes them pretty much useless in an environment where joining the majority of devices on the network to a domain or MDM is just plainly not an option (the users won't stand for it and even if they did, we have continuing ed users with conflicting configs on the work laptops from other companies which they bring to class). But even if we were able to do so, you should pretty much never trust client machines, even if you've gone all in on the even-with-TPM-won't-even-boot-BIOS-unless-connected-to-a-cloud-verification-service crap. You have to harden the infrastructure as if it were an internet-facing service, (while still doing what you can on the network layer to restrict access and at the OS layer to keep machines updated.)

      --
      Someone had to do it.
  2. Re:Good on them! by Kokuyo · · Score: 3, Interesting

    That is true, however it's not the point of this story.

    It was also true for Equifax, wasn't it, and still they were breached due to negligence.

    This is more a matter of one company trying to do the minimum while others will happily gnaw at their last leg or sit there watching contentedly while their house is being washed down the river brick by brick.

    The only tragedy is that doing what you're supposed to do has become such a seldom event for corporations that it's news-worthy. If it was due to actual ethics, it would be the proverbial unicorn.

  3. That's not going to help. . . by Salgak1 · · Score: 3, Interesting

    . . . this effort:

    Facebook Is Looking for Employees With National Security Clearances

  4. College Campus? by Big+Hairy+Ian · · Score: 5, Interesting

    Speaking as an IT Professional working at a large University I can assure you we take network security very very seriously. I believe Facebook would be envious of our network security teams.

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  5. Re:One example by GuB-42 · · Score: 3, Interesting

    And I've worked with defense contractors with abysmal security... They had safes, paper shredders, badges, special networks, all that stuff but it was just a facade. People shared passwords and used personal USB keys to transfer data, it took so long getting physical access that tailgating was the norm, airgaps weren't, outdated software, the IT department was so incompetent that bypassing it was almost a requirement for getting things done. While working there, I stumbled upon several gross vulnerabilities without even trying.
    At school, students had much more freedom but at least the network was sane, and the IT department was not the friendliest place on earth but they did the job.

  6. So, they will lock the network down to be useless? by enjar · · Score: 3, Interesting

    Running joke from my buddy that works at a defense contractor is that if you can do your job, the network isn't secure enough. It's amazing the hoops he has to jump through to perform functions and obtain permission to perform functions that are actually enumerated in his job. Oh, and of course, they are told to just assume the network is compromised, anyway. There are good security reasons for a some of the restrictions, of course -- but there's no denying that having a very locked down network requires significant investment on the IT side as well as slowing down the jobs of the people actually trying to use the network.