The Lesson of Recent Hacktivism 159
itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'"
A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.
Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money. Companies are lured into a false sense of security based on what they are being told, and what they spend money on - and it seems totally reasonable from their perspective. Unfortunately, the public (and the victim companies) are not aware of one tenth of one percent of what is actually going on. Any company that has anything worth significant financial value is either compromised or is a target with a big bulls eye on their gold stash - guaranteed.
Simple reason: Nobody wants security (Score:5, Insightful)
Nobody wants security. Everyone wants compliance.
From an auditor's point of view, it's very easy to explain the reason why the security in most companies is at a level that's not even laughable. No company is interested in it. What they want is certificates, they want their ISO27k and their PCI-DSS, but not because they want them to know for themselves that they're secure, they want them to display to others that they are, so they can get contracts or are compliant with legal requirements to be allowed to do something.
Now, some might think security and compliance with security requirements is the same. Both mean that you "want" security. And that's the fallacy. Security is something you want yourself. You want security because you want to be secure. Security is in this case the primary interest and the focus by itself. Compliance is something that is forced onto you. You want security because someone else wants you to be secure. Security is in this case only the means to the goal, be it to conform with legal requirements to continue operations or be it to be allowed to process credit card payment.
Within the last decade or so, the number of companies where I actually had the idea that they wanted security for themselves, even if only as a side effect to the compliance requirements, was very, very low. Most want to get done with it, preferably fast and without hassle. If the compliance requirement is that your door is locked and barred but doesn't say anything about your windows, they won't even listen to you if you tell them they have no windows but just big holes in the wall. Their door is sealed, that suffices to be compliant. The windows? Not part of the compliance requirement, we don't care.
Re:I disagree (Score:4, Insightful)
I swear to fucking god - look at how my posts are modded on this thread.
Don't bring up Bush and claim your post isn't flamebait. I mean, seriously, this is what you said:
"I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec. Please don't mark this down as flamebait"
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
If you're a web developer, let it be a lesson to you: download some basic hacking tools and try them out on your own website. You'll definitely learn something.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
They were not asleep. They did not believe in security through obscurity. They trusted the industry.
It has often been said, by Bruce Schneier [wikimedia.org] and others, that security is not a product that can be purchased, installed after the fact and forgotten, but rather an attitude and culture that must be cultivated and maintained. Knowledge and tools are important, but without the right attitudes and culture they will be of limited use. Remember that nobody cares more about your security than you do. If you don't care then nobody else will either, despite what they may tell you.
Re:Simple reason: Nobody wants security (Score:5, Insightful)
Disclaimer: I've worked in compliance until recently, but my background is security.
The problem you outline is real, but you are missing a point: Compliance got traction because companies don't invest in security. The risk/reward just doesn't work out. A million credit cards lost? The PR to fix that is a lot cheaper than the security investment to prevent it. And the real damage isn't for you, it's for the credit card holders and their companies.
That's why compliance became so big, because too many people realized that unless you force them, companies won't do security. The same way that airbags in cars didn't become standard issue until some laws were passed. Human beings are horrible at risk management for everything that falls outside our daily experience.
The quality of your compliance managers determines if you're just following the book, or actually bringing an advantage to the company. I proud myself on IT management being happy they had me (I wasn't part of IT, to them I was an outsider from the finance department, the compliance hand of the CFO). You can do compliance in a way that IT doesn't hate and that gives you actual benefits.
Unfortunately, too few compliance managers are IT people, much less IT security experts. Which leads to them doing things "by the book". Or, as it's called in other contexts: Work-to-rule. As we all know, that's not work, that's sabotage.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Insightful)
Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense
The cost of risk prevention: if the cost if risk mitigation is lower (no matter if people are burnt [wikipedia.org]) there you have it.
Far easier to them to externalize the cost and lobby for DCMA and anti-hacking laws - it's the populace that pays for the jail time.
Comment removed (Score:5, Insightful)
Re:Yikes. Coffee. Smell. Up. Getting. (Score:5, Insightful)
I hate it when this excuse is used. And it's used often in business in many areas, not just security. It's the junior manager's way out - the way to duck and hide behind someone else. But while it's true a contractor, agency, or someone else will never do as good a job as you would if you did it yourself - at the end of the day it's the responsibility of the guy who approved and signed the cheque. If you don't even take the time to review the work you contracted, if you don't even bother to keep ONE person around who has any notion of how the work should be done and get him/her to go over it and approve it before it's accepted, then my friend, you deserve the good anal fucking that you are about to get.
Re:Yikes. Coffee. Smell. Up. Getting. (Score:4, Insightful)
One solution might consist of better user training coupled with better security design (protect truly secret data but don't worry about disclosure of information freely obtainable by outsiders via mechanisms like FOIA, stockholder inquiry, etc.)
It's a challenge, regardless of what you have to protect--or how you choose to protect it.