Forgot your password?
typodupeerror
Security

Security Pros Bemoan the Need for Focus 62

Posted by CmdrTaco
from the thinking-one-step-ahead dept.
Ant writes "Computerworld has an article about more proactive initiatives falling by the wayside. Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection."
This discussion has been archived. No new comments can be posted.

Security Pros Bemoan the Need for Focus

Comments Filter:
  • Giving Up (Score:5, Interesting)

    by Anonymous Coward on Sunday November 14, 2004 @11:24AM (#10813149)

    some people i know are so fed up of the state of internet security ,viruses,trojans,spyware,spam etc that they are actively considering disconnecting their main systems from the internet altogether and only using a dedicated machine for access

    shame that security has got so bad where people are now retreating from public networks, if thats now in 2004 what's it gonna be like in 10-15-20 years from now ? i shudder to think

    • Re:Giving Up (Score:3, Interesting)

      by digitalsushi (137809)
      I'd have to ask why a company's main systems are online at all. I was disturbed to learn my bank's accounting system is online. Why should it be? I asked them. They said they didn't need it to be, it was just that they have only one network. Oh, good.


      • At the company I work for:

        - We have multiple websites selling direct to the customer
        - The websites all connect to our back-end inventory system
        - Some websites connect through to a bank to process credit cards
        - Some websites connect through to a fulfilment system (others rely on the inventory system's connection to a different fulfillment system)
        - The call centre apps connect to the same inventory and fulfillment systems
        - A shop network connects through to the same inventory and fulfillment systems
        - Various
    • Re:Giving Up (Score:2, Interesting)

      by mordors9 (665662)
      You can't really blame them for giving up. Lawsuits are going to get worse against companies that get hacked and private information gets out on the internet. It also seems like the nature on people on the internet has changed. It used to be that most of the geeky types that tried to hack a box, did it just for fun. We would get in just to see if we could, then maybe leave a note to the Sysop that his system was open. Oftentimes he didn't change anything because he didn't care as long as no one screwed anyt
  • by digitalsushi (137809) <slashdot@digitalsushi.com> on Sunday November 14, 2004 @11:29AM (#10813171) Journal
    I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...
    • by Spoing (152917) on Sunday November 14, 2004 @01:09PM (#10813665) Homepage
      1. I am a sysadmin, a poor one, and I can definitely say I could spend 100% of my time trying to patch holes and cracks in our system and still not have enough time left over. And I have a sneaking suspicion that someone who knows what's going on could redo our environment entirely such that I wouldn't have to. What an unfortunate thing! I don't even know what I'd do with all those extra resources freed up. I think our company had something to do with turning profits, long ago ...

      Security is tough...though doable. The general idea is to secure your systems well enough so that if a new exploit occurs it is difficult to impossible for the exploit to impact your unpatched systems.

      General tips;

      1. Simplify; run only what you absolutely need on any system. Remember that even simple programs have been exploited in the past so don't fall into the "that's just a harmless ________" trap.
      2. Isolate; don't just keep minimial systems exposed to the internet, keep all systems visible on a 'need to know' basis. If the database server only talks with the intranet web server and the accounting database, make it so only those machines can see the database. If something breaks, or a developer needs access, either change the router or treat the database as a remote resource and have the group use a SSH tunnel.
      3. Automate; whatever can be automated, automate. Keep in mind that updates can break systems in some way, though focused patches tend to be fairly harmless. Have rollbacks enabled so that any dammage can be reversed without resorting to backups. (You do backup everything, right? Nightly incremental backups + occasional full backups.)
      4. Hire me; I'd be glad to charge, er, help you out with this. Reasonable fees and all that.
  • It is what IT is.
  • It sounds like security professionals are annoyed that they have to focus on anything. Wouldn't a more accurate headline be

    "Security Professionals Bemoan Lack of Focus"?

    Right now, it just sounds like security pros are whiny babies that don't want to do their jobs.
  • by Boss, Pointy Haired (537010) on Sunday November 14, 2004 @11:56AM (#10813282)
    "Issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours", said Popinski.

    I think this guy's just pissed that he doesn't have enough time to surf Slashdot at work.

  • The Java Web Start sandbox environment may be a bit too limited for some applications, but it is secure and more applications are being written for it all the time. Sun is also improving it with every release. In this environment you don't have to trust the code, or the software vendor wrt manipulating your hard drive, network interfaces, keyboard, or even the clipboard.

    For more secure Java Web Start info: http://www.scheduleworld.com/itsYourLife.html [scheduleworld.com]

    • I am really impressed by JWS. I clicked on a link to a JWS app the other day, and it downloaded and ran (safely, in a sandbox) with no more interaction (on a Mac. I've not tried it on other platforms). The app itself didn't even come close to conforming to the platform's HIGs, but the deployment technology was very impressive.
    • Considering Sun's opinion of FOSS (... What is Sun's opinion of open source? It is not 100% support of FOSS; maybe 30% support?? ...), I have trouble trusting anything related to Sun. What patents do they hold? When will they spring something on "us"?
      I would just as soon see Sun die. (If I could trade DEC for Sun, I would do so in a nanosecond. I don't know how far out of date is Alpha development, but with Intel, etc. hitting the wall w.r.t. single cores, I wonder if smart, rather than just fast an
  • My thesaurus lists "tactics" as a synonym for "strategy."
    • My thesaurus lists "tactics" as a synonym for "strategy."

      Then you need a new thesaurus. Tactics refers to planned operation activity in the short term and usually in a small area. Strategy refers to a broad overview of planned activities.

      • I think I understand the distinction between "tactical" and "strategic" now, but what is "operational"?
        • "[The operational level] is the link between strategy and tactics. Action at the operational level aims to give meaning to tactical actions in the context of some larger design that is itself framed by strategy."
  • I've been thinking about this quite a bit. I know that there are a ton of unscrupulous businesses and persons out there releasing spyware/malware and spamming, et al. In addition to that, I can't help but think that a lot of issues people have is that they treat computers largely as they would an appliance. It does some specific tasks and should continue to do so with as little human intervention as needed, at least in their eyes. When people realise that computers take a bit more commitment and dedication
    • That's the problem, computers are too complicated for ordinary users. Unless you spend hours and hours locking things down then your system will be vulnerable.

      You shouldn't need a degree in network security in order to connect to the internet, but unfortunately that's the reality.

      Also, a lot of people that own computers never use them to their full potential. If all you need is a word processor, then buy a word processor.
      • by Anonymous Coward
        You shouldn't need a degree in network security in order to connect to the internet

        In a sense, you should. The Internet is just a means of routing packets. Clearly, it can't provide security between you and some other system.

        That other system might be benign, or it might have every intention of attacking you if you give it the slightest chance. So, who's responsible for making you safe when you connect? You are, inevitably.

        It would help a lot if you were able to choose a system which is secure by de
  • A serious issue... (Score:2, Insightful)

    by beaststwo (806402)
    I've been working with medical research organizations that are having to deal with 21 CFR Part 11 restrictions on restricting access and ensuring data integrity as part of the FDA process for clinical trials. It is a much more strategic approach than the traditional "patch and fix" approach taken by other IT organizations I work with.

    When I first saw the FDA requirements, I was horrified, but after thinking about it a while, I started wondering why al systems don't take this kind of approach.

    It comes b

    • it's all related to the original Good Manufacturing Practise processes. pros - our implemented stuff is *bulletproof* and identical down to LRF* level on the boxes. cons? what might take an afternoon on an unvalidated system can bloat out to a month's project under GxP.
      i think that any system that has serious potential for abuse should go under similar levels of attention to detail: whether it's financial or contains significant personal details.
      however, try convincing big business they need to spend
  • by Proudrooster (580120) on Sunday November 14, 2004 @12:20PM (#10813399) Homepage
    "What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security.

    In just the first two paragraphs alone I was able to fill up my BULLSH*T BINGO card [perkigoth.com]. Let's see if I can write a useless statements containing lots of buzzwords. What's really needed is a short term strategy with long term synergestic goals that transcend all layers of the organization and implement proactive world-class security. Yep, I still got it.

    Just think, if executives had more of a strageic planning process for the business in general, then US companies might be healthier and stronger, instead of sacrificing the future for short-term profits.

    I guess it is just a slooooow news day.
  • who hates the word "proactive"?
  • .

    "We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.

    Yeah, all the new battles go to the guys with good names, like Batman, The Riddler and Dick Tracy.

  • by RancidPickle (160946) on Sunday November 14, 2004 @01:35PM (#10813792) Homepage
    The Security Pros are in two camps right now - reactive and proactive. My belief is that proactive may be the philosophically better choice, but the reactive is the modern-day way of life.

    Security has always been the bastard stepchild of the IT world. Nobody wants to spend any money or time on it, but it is the biggest reason why networks fail. It's akin to buying insurance for your network. While some high-end gurus want to come up with methods of protecting networks on a high-level, the folks who are writing virii and spyware are working on new methodologies to counteract the standards. Compare this with the way battles were fought during the American Revolution - the British lined up in neat rows, and some American snipers hid in the surroundings. The British bemoaned the tactics, and were generally unable to understand or cope with the revolutionaries who "didn't fight fairly". The end result was Britain was defeated, and having general proactive security plans will also get defeated because the 'bad' coders don't play by the rules.

    What may be a good idea is to train and develop more folks who look for security holes and spyware methods and plug them before they get exploited. Anti-spyware and anti-virus companies could do it, and they could use it as a marketing tool (Our new update protects against the IE URL buffer overflow hack!). Companies like MickeySoft can invest some of that capital they have lying around under their couch cushions to either promote (or buy) and AV company, and it would allow M$ to get exploits identified quicker, and perhaps hush the chatter on how hole-y their software is by fixing those holes before they become public.

    So, like the rest of the IT world, I have to go on, day after day, reacting to any new threats that show up on my virtual doorstep. For most admins and security folks, that is their focus. When companies go down for lack of vigilence, their competitors will begin to see the use of having trained folks on-site to watch their backs.
  • Most PHBs misunderstand the results of proactive security, mainly because proactivity breeds less tangible results (because the attacks are mitigated before they do any damage). In the case of a successful security breach the damage is seen, counted, and monetary losses to the company are estimated. For example, when a virus hits and the IT guys are scrambling, the monetary losses are itemized and quantified. If the network is secured and nothing happens the IT folks can't claim one way or the other about h
  • by Brian Stretch (5304) * on Sunday November 14, 2004 @02:30PM (#10814032)
    They could at least stop buffer overflow attacks by using AMD Athlon 64 CPUs ("Enhanced Virus Protection" as marketing says). And cut their electric bill. But noooo, they keep buying the overpriced Intel-based blast furnaces that Dell sells them.

    It won't make Windows secure, but it might free up enough time for strategic thinking. Then again, so would doing IT development in-house rather than cleaning up outsourced disasters...
  • Service Pack 2? (Score:2, Interesting)

    by dshaw858 (828072)
    I know that Microsoft isn't Slashdotters' favorite company, but I have to say that I think that Service Pack 2 will help security immensely. As has been said before, most of Windows users are computer illiterate. SP2 gives users an enhanced layer of security (the XP Firewall, for example), and can really help the computer illiterate (that would otherwise be totally unprotected) secure themselves.

    - dshaw
    • SP2 was a great idea, but it was poorly implemented. It caused almost as much havoc as the Netsky worm. I have several clients that had their systems set up automatically load and install SP2, and they found themselves without viable machines the next day.

      One instance involved a gent who was using WinXPPro to serve out a cash register and inventory system for his store. He only had four machines, and it had been working fine for over a year. After SP2 was autoloaded, everything stopped working, from Quickb
      • I'm not saying that SP2 is a golden gift from heaven, and yeah, it does bring a lot of trouble. But, for users that don't do so much as install a firewall or anti-virus, SP2 will make them more secure. I think that this will be shown more when users start buying machines with SP2 already installed, as opposed to updating from an SP1 machine.

        - dshaw
    • What about this [slashdot.org]?
  • Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners Inc. in Boston.

    [sigh] Why is it always the case that [insert random technical speciality here] has to "learn to speak the language of business users"? Technical language exists for a reason: more precise expression of problems and solutions. If business users can't even "speak the language", h


  • Dear CmdrTaco,

    since when is marketing bullshit "news for nerds, stuff that matters"? :

    "proactive"
    "initiative"
    "operational"
    "tacti cal"
    "consideration"
    "dominate"
    "agenda"
    "stra tegic"
    "approach"

    You, The Editors, have been rejecting story submissions for much smaller sins.
  • Somebody needs to wake up and realize that these 2 words have very different meanings...

This file will self-destruct in five minutes.

Working...