Time:( Wish I had a better answer. There might be one.
PS: My "drones" snark is directed more at consultancies selling BS than at inexperienced-but-learning security people trying to do their job. Used to be in charge of a security consulting practice, and was sabotaged endlessly by a sales force positioning my team as "all created equal", or promising that in a pinch _I_ would personally deliver every engagement, so boilerplate SOW's are just fine. It's all about the billable, baby...*sigh*
If you took a bright programmer on each team, and had her focus on security issues as a primary responsibility, I think you'd develop a fantastic core of security expertise on project teams. Certainly better than the drive-by security types that dominate the field. Slowly but surely, I see more companies "getting this". It's been many years since I've had trouble finding "that guy", the bright dev or admin who also gives a shyt about security, who WANTS to be the evangelist, the translator, and work together with infosec from 'go'. The opposition to this approach is usually bureaucratic, rooted in upper management who historically view infosec as adversaries (and to be fair...many security professionals, even experienced ones, HAVE frequently been adversarial and authoritarian).
I see good things at the (grossly large and management-burdened) financial that I'm working for right now. They get it, lately. If this old dog can learn new tricks, there's hope.
Of course, security consultants think that security should be left to the professionals. (ie, them) Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.
Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit. Amen:) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.
I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.
Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks:)
Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.
Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.
You've never managed a real enterprise-scale network, have you?
1.-3.: "Backups exist"...heheh...nightly, for every desktop in a 10,000-50,000 user environment? With thousands of mobile users? GLWT. Further, good luck re-imaging '36 Flavors of OS' (better be able to do it remotely too!), each of which has been customized by the unmanaged end-user.
6.: "Enforce running AV"...exactly how do you propose to do that in an unmanaged environment where an end-user can disable AV at will. Oh sure, you can spend a mint on proprietary NAC solutions to enforce active AV services upon private network entry. And then watch as the user "disables their AV for 'just a little while'" while at home or some hotel on the road, downloads a terminal case of digital-HIV, then turns that laptop back on when they're back in the office. Hilarity ensues.
In fairness, your points about email (4/5) are absolutely valid. No excuse for any professional organization botching that (unless you count seedy email-(non)retention-aka-cover-our-arse-legally policies, but that's a layer-8 collision).
(I suppose I should also qualify with the obvious, that "the above rules may not apply" for a purely technology-based corporation, ala Google, where the end-user is probably already more competent than the average "500 pc windoze XP" ub4r system administrator.)
Same experience here. In fact, the shop I was at had the very first "outside of 3Com" CB9k. We did pre-release testing and evals on pretty much every piece of infrastructure gear they made in the late 90s. The Netbuilders were utter shyt, but the high-end core switching was pretty nice, certainly comparable to the best Cisco had to offer at the time.
And then the other shoe dropped. "We" (myself and my fellow consultants...network engineering for this client was staffed entirely by the company I worked for) warned them...we were all Cisco and Bay geeks to begin with tho, so we were discounted. And then 3Com dropped the bomb: discontinued, no support, switch to Foundry, yadda yadda.
Ironic that as one of their purported "premier clients", the first we heard about the decision was the press release on the web the morning they released it.
Having had the misfortune of working extensively with 3Com's old Netbuilder line of routers 5-10 years ago, all I can say is: setd -bollocks !3com
At least they seem to have the good sense not to try and compete in the mid-to-high-end market this time around.
I recall having a 2-month long "support war" with their engineers (we were at the time one of their premier clients...director of IT was even on their technical advisory committee if memory serves...you'd think we'd rate good support).
I wanted to do some basic network management on their Netbuilder 2 dual-cpu models. But the numbers I was getting back via snmp made no sense...4000% steady utilization on one, 0% pegged on another, and...heheh...negative utilization on a third, for example. After months of wrangling, I finally got one of their developers to admit something along the lines of "well, it was too hard to accurately calculate utilization with a second CPU, so we just populate the value with a random number."
>>When I pay one of my few staff I expect them to work as hard for the company as I do.
You have several good points, but the assumption above is sufficiently off-base that I have to call BS on you.
"Work hard", absolutely. Work as hard, in terms of hours invested, as the owner of the company? No way. Not unless you're compensating them with equity in the business.
I think you're forgetting that business owners reap substantially more reward from the time they put into their enterprise. It's absurd to _expect_ employees to consistently detract from the quality of their personal life...which is ALWAYS more important than any job...for no particular reward.
(And I do realize that, to one degree or another, that's in line with some of your other comments as far as how you treat your own staff. But the original statement remains worthy of re-consideration.)
And conversely, if you ARE "completely sure your network is 101% secure", you really ought to lay off the potent mind-altering drugs.
Incidentally, in my experience, the hacker in these scenarios isn't likely to be "really pissed", just mildly annoyed that he can't fire up his eggdrop or warez site. They'll play for a bit, to get some attention, and then move on to greener pastures.
It's not quite that apt of an analogy. The Internet IS a public network. A closer analogy might be: if you leave a newspaper you bought lying on a public park bench, is it illegal for someone to pick it up and start reading it? Even that isn't a particularly good comparison.
Mind you, this is assuming that any given service _doesn't_ have an explicit disclaimer that the system is a private one, and only 'authorized access' is permitted for any given content or resource.
The US federal code (title 18 USC) is pretty clear on this point, with emphasis on "knowing intent to defraud" "without authorization". State and local laws in the US are sometimes more broad in regard to "intent", so YYMV, IANAL and all that whatnot:) But as a rule of thumb, even "logging in as [user other than yourself]" isn't demonstrably a crime in and of itself. What you do after the fact determines the intent.
Incidentally, the ISP which subjected me to this little episode of guilty-until-proven-innocent was a Jersey outfit called Cybercomm Online Services. They recently sold out to another company, which hopefully will handle matters like this more responsibly.
--Bargeld
I used to be the guildmaster of an Ultima Online group. Ran the guild website from my own ISP shell account, until a member joined who happened to run a web hosting business. She offered to host the content (which had been created by myself and 2 other members), and she also went and registered a domain name for the guild. Unfortunately, a year later, she and her daughter were causing some serious interpersonal nastiness with other folks in the guild. She quit, and I asked her daughter to leave as well. We just went back to using my original website, and thought that was that.
A few months later, out of the blue, my ISP chown root's all my website files and disabled the site. No email notification, no phonecall, nothing...mind you, I'd been a customer for almost 10 years. I called them and asked what was going on.
Apparently, the ex-guildmember called up my ISP with some other lady on the line who she claimed was her attorney, and proceeded to throw a fit, threatening to sue both me and my ISP for copyright infringement. As proof, she showed them her website (with all the copied content from my own), and told them that since she owned the guildname.com domain, it was obviously hers. No Cease and Desist letter, not even formal identification of this supposed attorney's credentials...just a phonecall threat, and they shut me down without so much as a notification that they'd done so.
Fortunately, once I gave them my own dose of invective, and demanded that the ISP provide me with the contact information for THEIR attorney, so I could sick my own on them, they caved and restored the site.
Amusingly, they later forwarded me the email sent to them by the psycho-ex-member: the crux of her complaint was the assertation that "content belongs to the host and domain owner, not the creator". Aparently her "attorney" wasn't too familiar with copyright law:)
Regardless, it's disgusting and troubling that it's so easy for a malicious person to simply shut down a site that they don't like, purely on heresay.
--Bargeld
Slashdot Mirror
@Amouth:
This is just completely wrong. WTB mod points...
Seriously man, fire up a sniffer and try it, see for yourself.
>>I like the sex analogies; I think this should be a new standard for /.
Nonstarter. Reader-base is unfamiliar with the interface.
Back to car analogies please.
--Bargeld
>>no one talks about Biden running for Dick Cheney's 3rd term.
Are you seriously suggesting that Joe Biden is the same sort of man, at his base character, as Dick Cheney?
You should be ashamed of yourself.
Cocaine effectively evaporates.
Hookers, however, only evaporate if you're into a very special kind of kink.
Uh, not that I would know.
Time :(
Wish I had a better answer. There might be one.
PS: My "drones" snark is directed more at consultancies selling BS than at inexperienced-but-learning security people trying to do their job. Used to be in charge of a security consulting practice, and was sabotaged endlessly by a sales force positioning my team as "all created equal", or promising that in a pinch _I_ would personally deliver every engagement, so boilerplate SOW's are just fine. It's all about the billable, baby...*sigh*
I see good things at the (grossly large and management-burdened) financial that I'm working for right now. They get it, lately. If this old dog can learn new tricks, there's hope.
Well damn, wish I'd read your reply before I posted. Far more eloquently stated than I put it. /salute
I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.
Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks
Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.
Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.
--Bargeld
You've never managed a real enterprise-scale network, have you?
1.-3.: "Backups exist"...heheh...nightly, for every desktop in a 10,000-50,000 user environment? With thousands of mobile users? GLWT. Further, good luck re-imaging '36 Flavors of OS' (better be able to do it remotely too!), each of which has been customized by the unmanaged end-user.
6.: "Enforce running AV"...exactly how do you propose to do that in an unmanaged environment where an end-user can disable AV at will. Oh sure, you can spend a mint on proprietary NAC solutions to enforce active AV services upon private network entry. And then watch as the user "disables their AV for 'just a little while'" while at home or some hotel on the road, downloads a terminal case of digital-HIV, then turns that laptop back on when they're back in the office. Hilarity ensues.
In fairness, your points about email (4/5) are absolutely valid. No excuse for any professional organization botching that (unless you count seedy email-(non)retention-aka-cover-our-arse-legally policies, but that's a layer-8 collision).
(I suppose I should also qualify with the obvious, that "the above rules may not apply" for a purely technology-based corporation, ala Google, where the end-user is probably already more competent than the average "500 pc windoze XP" ub4r system administrator.)
Same experience here. In fact, the shop I was at had the very first "outside of 3Com" CB9k. We did pre-release testing and evals on pretty much every piece of infrastructure gear they made in the late 90s. The Netbuilders were utter shyt, but the high-end core switching was pretty nice, certainly comparable to the best Cisco had to offer at the time.
And then the other shoe dropped. "We" (myself and my fellow consultants...network engineering for this client was staffed entirely by the company I worked for) warned them...we were all Cisco and Bay geeks to begin with tho, so we were discounted. And then 3Com dropped the bomb: discontinued, no support, switch to Foundry, yadda yadda.
Ironic that as one of their purported "premier clients", the first we heard about the decision was the press release on the web the morning they released it.
Never again.
Having had the misfortune of working extensively with 3Com's old Netbuilder line of routers 5-10 years ago, all I can say is: setd -bollocks !3com
:)
At least they seem to have the good sense not to try and compete in the mid-to-high-end market this time around.
I recall having a 2-month long "support war" with their engineers (we were at the time one of their premier clients...director of IT was even on their technical advisory committee if memory serves...you'd think we'd rate good support).
I wanted to do some basic network management on their Netbuilder 2 dual-cpu models. But the numbers I was getting back via snmp made no sense...4000% steady utilization on one, 0% pegged on another, and...heheh...negative utilization on a third, for example. After months of wrangling, I finally got one of their developers to admit something along the lines of "well, it was too hard to accurately calculate utilization with a second CPU, so we just populate the value with a random number."
Brilliant workaround
--Bargeld
>>When I pay one of my few staff I expect them to work as hard for the company as I do.
You have several good points, but the assumption above is sufficiently off-base that I have to call BS on you.
"Work hard", absolutely. Work as hard, in terms of hours invested, as the owner of the company? No way. Not unless you're compensating them with equity in the business.
I think you're forgetting that business owners reap substantially more reward from the time they put into their enterprise. It's absurd to _expect_ employees to consistently detract from the quality of their personal life...which is ALWAYS more important than any job...for no particular reward.
(And I do realize that, to one degree or another, that's in line with some of your other comments as far as how you treat your own staff. But the original statement remains worthy of re-consideration.)
--Bargeld
And conversely, if you ARE "completely sure your network is 101% secure", you really ought to lay off the potent mind-altering drugs.
Incidentally, in my experience, the hacker in these scenarios isn't likely to be "really pissed", just mildly annoyed that he can't fire up his eggdrop or warez site. They'll play for a bit, to get some attention, and then move on to greener pastures.
--Bargeld
It's not quite that apt of an analogy. The Internet IS a public network. A closer analogy might be: if you leave a newspaper you bought lying on a public park bench, is it illegal for someone to pick it up and start reading it? Even that isn't a particularly good comparison.
:) But as a rule of thumb, even "logging in as [user other than yourself]" isn't demonstrably a crime in and of itself. What you do after the fact determines the intent.
Mind you, this is assuming that any given service _doesn't_ have an explicit disclaimer that the system is a private one, and only 'authorized access' is permitted for any given content or resource.
The US federal code (title 18 USC) is pretty clear on this point, with emphasis on "knowing intent to defraud" "without authorization". State and local laws in the US are sometimes more broad in regard to "intent", so YYMV, IANAL and all that whatnot
--Bargeld
Incidentally, the ISP which subjected me to this little episode of guilty-until-proven-innocent was a Jersey outfit called Cybercomm Online Services. They recently sold out to another company, which hopefully will handle matters like this more responsibly. --Bargeld
I used to be the guildmaster of an Ultima Online group. Ran the guild website from my own ISP shell account, until a member joined who happened to run a web hosting business. She offered to host the content (which had been created by myself and 2 other members), and she also went and registered a domain name for the guild. Unfortunately, a year later, she and her daughter were causing some serious interpersonal nastiness with other folks in the guild. She quit, and I asked her daughter to leave as well. We just went back to using my original website, and thought that was that. A few months later, out of the blue, my ISP chown root's all my website files and disabled the site. No email notification, no phonecall, nothing...mind you, I'd been a customer for almost 10 years. I called them and asked what was going on. Apparently, the ex-guildmember called up my ISP with some other lady on the line who she claimed was her attorney, and proceeded to throw a fit, threatening to sue both me and my ISP for copyright infringement. As proof, she showed them her website (with all the copied content from my own), and told them that since she owned the guildname.com domain, it was obviously hers. No Cease and Desist letter, not even formal identification of this supposed attorney's credentials...just a phonecall threat, and they shut me down without so much as a notification that they'd done so. Fortunately, once I gave them my own dose of invective, and demanded that the ISP provide me with the contact information for THEIR attorney, so I could sick my own on them, they caved and restored the site. Amusingly, they later forwarded me the email sent to them by the psycho-ex-member: the crux of her complaint was the assertation that "content belongs to the host and domain owner, not the creator". Aparently her "attorney" wasn't too familiar with copyright law :)
Regardless, it's disgusting and troubling that it's so easy for a malicious person to simply shut down a site that they don't like, purely on heresay.
--Bargeld