Former NSA Honcho Calls Corporate IT Security "Appalling" 174
Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."
I can confirm this (Score:4, Insightful)
Re:I can confirm this (Score:5, Insightful)
Most of them don't. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Keep it all working at the lowest cost for the shareholders. Then you have the rush to the not so safe or cheap cloud, web 2.0 and vision of one skilled non union person with a laptop doing a lot of remote work.
Its seems a cute list of mission statements: protect from outside data threats, protect from inside data threats, made web 2.0+ work, make the cloud work no matter the costs or network holes, keep th
Re:I can confirm this (Score:5, Insightful)
Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen.
Become a security consultant and charge four times as much. Then you can make money off their foolishness. The more foolish they are, the more you make. The less foolish they are, the more you help them.
Re:I can confirm this (Score:5, Insightful)
It's not about "real security" (which is too nebulous). They do make an effort, and spend lots of money ... on a big firewall to protect the whole org.
It's about protecting specific assets. For example, you can take the whole NSA offline, which is a fantastic moat. But if one single insider can get root access to basically anything he wants, it's not protecting core assets.
Most businesses are even worse - high risk assets can be sitting on a shared drive where everyone in the company can access them.
Re:I can confirm this (Score:5, Insightful)
There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough.....
That's the corporate world regardless of what department someone is in. It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life. Hard to care what happens to other people/families when some part of you is persistently fatigued from overwork/stress & worried that you could easily wake up tomorrow to find yourself unemployed and fighting for anything that might pay the bills...
Re: (Score:3)
It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life.
Interesting related stat: Most employers now routinely expect that employees will be paying attention to and responding within the hour to work email at almost all times of all days. According to this article [aol.com], Americans work about 10% overtime, completely unpaid, doing this.
Overtime is never legally unpaid (Score:2)
Most employers now routinely expect that employees will be paying attention to and responding within the hour to work email at almost all times of all days.
Citation needed. (the article you cited does not support this claim)
Americans work about 10% overtime, completely unpaid, doing this.
Overtime is never (legally) unpaid. If you are salaried there effectively is no such thing as a 40 hour work week and thus there is no such thing as overtime. If you are paid hourly it is required by law that you be paid for any time worked and not doing so can result in some serious consequences.
Re:I can confirm this (Score:5, Interesting)
Re: (Score:3)
REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly?
Even cheap and simple but crucial security such as verification of a user before password reset for windows login, VPN, operation crucial applications and so on were not part of standard operating procedure at a company with an annual revenue of more than USD90 Billion that I worked at some time ago. Worse yet, no verification procedure were in place at all!
When I questioned the rational behind this I never got an actual answer but it were implied that the senior executives found such procedures inconvenien
Re: (Score:3)
This is a very good point for very little investment most companies could dramatically improve their security posture without much if any new technology. Simply teaching HR and Helpdesk staff to use good procedures are identity management / verification and making sure HR communicates effective with operations either manually or thru automation to disable or delete accounts when employes leave the company for any reason.
No fancy firewalls or multifactor whatevers will protect you if valid authenticators ar
And then there are the people. . . (Score:3)
. . . .who want exceptions carved out, just for them.
Like the C-level people who "need" Facebook and Twitter.
Like the General Counsel who don't want to use the document check-in/check-out system, and THEN complain about losing files.
I could go on, but I'm sure the vast majority of us have had to deal with similar issues. . .
Re: (Score:2)
Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck.
It's more than that. There is a conflict a lot of times between ideal security and conducting the business of the company, and some reasonable (or sometimes, not so reasonable) compromises must be made. For example, a banking website should ideally make a customer go through a number of 3-step verified passwords and security questions before accessing their accounts. But any banking site that does that is going to have a *lot* of pissed-off customers who are going to take their banking to a competitor who's
Where to draw the line is hard (Score:2)
Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck.
While you are correct about the costs and effort, the cold hard calculus is whether the costs outweigh the benefits. Just because better security can be done it doesn't always follow that it should be done. For companies that deal with sensitive customer information or sensitive trade secrets there is no question the costs *should* be made to be quite high for bad security if they aren't already. (unfortunately too often they are not) Security is highly similar to insurance. You want enough to ensure t
My experience is slightly different. (Score:5, Insightful)
In my experience it is more about the managers and CxO's viewing it as a status issue. They are so important that they cannot be hampered by the demands of the lowly IT people. And the same goes for their people.
Security is IT's problem and if something goes wrong then it is the IT people who will be fired. Starting with the ones who were the loudest about there being a problem in the first place.
After all, other companies don't have those problems. So it must be because the IT people are incompetent.
Re:I can confirm this (Score:5, Funny)
Re: (Score:2)
Re:I can confirm this (Score:5, Interesting)
1) Poor middle management. Many of them are either IT people with poor management skills, or good general managers with no IT skills.
2) Failing talent management. Failure to attract top people, no coaching, poor training, lack of talent recognition (I don't just mean good pay, I mean knowing who your best people are and allocating that talent accordingly), and lack of a decent technical career ladder.
The biggest challenge in IT is not technology, and it hasn't been that in ages. It's management, or rather: figuring out how to do IT well, how to organize it.
Re:I can confirm this (Score:5, Interesting)
In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.
They are actually pretty easy to find.
If they have more than about 500 employees, check if they have an official IT security position. Might be some guy doing other stuff in addition, but he's got to be the official IT security guy.
If they have more than about 1000 employees, check if they have an IT security department with at least one full-time employee.
If they have more than 2000 employees, check if they have a CSO or CISO.
If they have, you just need to verify that it's not an alibi position to satisfy some compliance rules. If they don't have, you already know they got no clue.
Business can always be estimated by checking if they commit to a regular expense on a topic. Occasional security checks mean nothing, they're usually done when someone needs to cover their asses. A permanent financial commitment is the only thing that means something in a business context.
Re: (Score:2)
It's not so much knowing about security as it is jackass leadership who do not want to deal the the hassle. Good security is usually very inconvenient and sometimes requires them to learn or understand something. That's more than they can handle.
No Shit, Sherlock (Score:5, Funny)
Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.
Re:No Shit, Sherlock (Score:5, Informative)
Re:No Shit, Sherlock (Score:5, Insightful)
Re: (Score:2)
Yup - theater is the key.
Password expiration is great theater - it is intrusive and intuitive, even though it is useless 99% of the time. You're a hacker, and you try to log in using the password "robbie7" and the password that has worked great for you for a month suddenly no longer works. Anybody want to guess what the new password is?
Complex passwords are also great theater - very intrusive, but again useless 99% of the time. Is "Robbie7" any harder to guess? If you make users use the password "'28$x!
But it does improve profit (Score:2)
Re: (Score:2)
Re: (Score:2)
Proper testing procedure, compliance protocols, pay 3rd party to find compromises, experts in each layer of security.
Not always (Score:2)
Security done right improves profit.
Not necessarily. Sometimes it is cheaper to just insure a problem than to improve security. Sometimes the security costs more than the loss that would be incurred by not worrying about it. Sometimes you are correct and adjusting or adding security measures is economically sensible. Not all security problems are created equal and not all of them can be economically mitigated by adding more/better security.
Research has proven that you can actually more than get back the cost of spending money on good security and turn a profit by having less bugs and flaws in your systems.
Sometimes true. Sometime not true. It depends on the risks you face and the cost of mitigating the
Re: (Score:3)
Overlooked or overvalued? (Score:2)
Security is hard. Security is expensive. Security does not improve profits
You forgot that the cost of extra security can easily be higher than the benefit provided. Should I add security for a risk for which I am adequately insured even if the cost of the security would be higher than the cost of the insurance? Security is almost always a tradeoff against operational efficiency and cost. Are you SURE you know where the optimal balance between the two is and have done the math to prove it? (If you say yes I'm going to call you a liar) I don't think I've ever seen an IT manage
Re: (Score:2)
Security is also an inconvenience.
Seriously, consider how many times IT imposes some new "security protocol" and everyone is forced to come up with alternative ways to do stuff bec
Re:No Shit, Sherlock (Score:5, Interesting)
Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.
Yeah, and we all know who to blame. (looks ominously upward) The irony here is that corporate IT is even more into surveillance and CYA than the former NSA guy is. I mean, the NSA has rules and shit to follow. Management at a company these days is like to be all "Yo, we do whatever we want. You dun like it? Dere's da fuckin' door." (sorry, Jersey accents are really hard to do on slashdot forum posts)
As an experiment I once sent an e-mail out from my last employer containing about 5KB of randomly generated gibberish to an e-mail address setup that had never been used before on a server that didn't have an SMTP server prior to the test balloon. Over the next three days, this previously unused and unloved honeypot got dozens of pings from the corporate network from people trying to login to the SSH, poke at the SMTP server, looking for web services. I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.
Similar has happened at 7 out of 10 employers I've worked for. They don't just monitor all your stuff...they actively go out and fuck with it. And the only reason this isn't a problem is because they're so terrifyingly bad at it.
Re: (Score:2)
From the US gov down you have a defective crypto/telco network, big brands working to decrypt, handing over users data vs dreamy legal teams and reassuring privacy statements.
As for "monitor all your stuff" the internal security of many firms would have a few issues to watch for:
Contact with the press, headhunting (recruitment by another firm), union activity, environmental activism, contact with state or federal regulators, academic 'tell all' books, foreigner
Re: (Score:2)
I'm very happy that I left such a micromanaged morass for a place where "union activity, environmental activism, contact with state or federal regulators" doesn't matter to the bosses since they don't have a huge cupboard full of skeletons.
Re: (Score:2)
So the company you worked for was able to crack the SSL encryption for Google?
Because otherwise the connection should have shown ONLY that it was connected to the gmail server.
Once it was delivered to the gmail server THEN Google would have tried to deliver it to the destination. There should not have been any way (aside from cracking Google's SSL connection) that the company could read the
Re:No Shit, Sherlock (Score:5, Insightful)
Actually Man-in-the-Middle transparent proxies, which intercept
and monitor SSL/TLS traffic, are now standard in most corps.
You don't get a browser alert since the corporate "fake" CA
is pre-installed as trusted in your browsers by the corp's IT.
So, yes, basically ... there *is* no encryption and they look
at everything.
Oh! And using Cisco "policy based routing", or WCCP2 or
other networking mojo, you cannot decide to skip the proxy,
from your client.
And ... using Deep Packet Inspection, the protocol will not
just be matched versus the destination port, so your genius
attempts to ssh to your external server running on tcp/443,
will not only be blocked, you will be flagged and tagged.
Solution? Just use your own equipment with either built
in 3/4G connections, or just tether across your personal
phone.
Caesar and Rome ...
Re: (Score:2)
Actually Man-in-the-Middle transparent proxies, which intercept and monitor SSL/TLS traffic, are now standard in most corps. You don't get a browser alert since the corporate "fake" CA is pre-installed as trusted in your browsers by the corp's IT.
Common, yes, but painfully easy to detect. But then, if you don't have the privileges to install a new browser, install a VM, or modify the system's root certs, you certainly can't claim it's your computer. It's certainly not your Internet connection. What do you expect using someone else's computer and someone else's Internet connection?
And ... using Deep Packet Inspection, the protocol will not just be matched versus the destination port, so your genius attempts to ssh to your external server running on tcp/443, will not only be blocked, you will be flagged and tagged.
Sure, for some small set of protocols that can be easily identified accurately with DPI. Ones that aren't using SSL. (Yes of course they can detect SSL and yes of course th
Re: (Score:2)
Solution? Just use your own equipment with either built
in 3/4G connections, or just tether across your personal
phone.
Caesar and Rome ...
I think that is the problem with all this perimeter security. It all sounded nice back in the 90s. Today people can just carry data in/out on flash drives, or send it over 4G.
Oh, and the most valuable data is probably most vulnerable to people who have access to it already. That nice big corporate database probably has nothing in it to prevent a user from exporting the whole DB and walking out with it.
Re: (Score:3)
Couple Ways You Could Fix That (Score:5, Funny)
Most offices have normal plate-glass windows, too! (Score:4, Interesting)
All it takes to break in is a hammer and 10 seconds.
Sure, they could put in bullet-proof glass and high-security doors. But those measures are prohibitively expensive for most businesses, and still aren't foolproof.
The same is true with computer security. There are basic precautions businesses should take, like putting all their equipment behind firewalls, for example. That's the equivalent of locking the front door. But security costs money, and makes life more difficult for those with legitimate access. These considerations must be balanced.
Re: (Score:2)
Ensuring that input is properly sanitized is one that comes to mind, because I've seen problems with it by people who should have known better. Disabling Java applets by default in browsers is another.
Re: (Score:2)
Ensuring that input is properly sanitized is one that comes to mind, because I've seen problems with it by people who should have known better.
Uh, how exactly do you propose doing that on every internal application used by the company - 99% of which have no source available? Do you think that the software that runs the robots on your manufacturing line properly sanitizes input?
All a hacker needs to do is break into some server running insecure "enterprise" software and then log all the passwords entered on it.
Re: (Score:2)
Re: (Score:2)
Unfortunately that seems to be the standard approach, leave your machines terribly insecure and just hide them from the internet using firewalls...
As soon as someone gets a tiny foothold behind the firewall, and there are many ways in which they could do so, everything inside is trivially easy to compromise and very poorly monitored.
Re: (Score:2)
Generally that's required because security is not considered at all by the vast majority of commercial software developers - so if you want to use their stuff it comes with all kinds of stupid open ports and nothing to stop the 1960s exploit of buffer overflows once something starts sending bytes into those ports. Some stuff on MS Windows still needs to be run as "
Re: (Score:2)
Thats a self perpetuating problem... So long as buyers don't reject such software, developers will continue to produce it.
Re: (Score:2)
This is why we need a PE for Computer Engineering. People with professionalism would not allow those issue to happen. The consumer isn't the expert, they rely on experts.
The industry need to grow up.
Re: (Score:2)
It's worse than that. if you even mention security when selling an app their eyes glaze over. Then they buy the totally insecure piece of garbage app that costs $1 less.
Re: (Score:2)
Thats a self perpetuating problem... So long as buyers don't reject such software, developers will continue to produce it.
IT Security has almost no impact on purchasing decisions. Most businesses aren't going to say, "well, looks like the vendor who makes this great piece of measuring equipment writes software that is easy to use, effective, and insecure - so we'll just decide not to buy it and let our competitors make the breakthroughs in that domain." Likewise when they spend $400k on the piece of equipment and IT comes along in 3 years to tell them they need to throw it away because the OS is no longer supported and the v
Re: (Score:2)
These considerations must be balanced.
The problem is that they usually aren't. There is a lot of office politics that usually means that the higher up the hierarchy you are, the less secure your computer is going to be. One company I worked for made a company-wide security check and found a number of open, unsecured dial-in modems attached to phone lines on the one side and desktop computers on the corporate network on the other. All but one of them belonged to managers.
Re: (Score:2)
The sad thing is, in the enterprise, they do spend the money and they do hamstring the employees with crazy security procedures. The problem is they DON'T actually manage to secure anything.
It's all like the security at Burns' nuclear plant. A series of convoluted Maxwell Smart like procedures to get into the heavily secured control room that is secured by a torn and unlatched screen door on the other side. But it is 'secure' because using the screen door is a violation of corporate policy and that's a fir
PHBs (Score:3)
How many vulnerable systems are due to PHBs who don't want to listen to explanations that the remote access or network configuration they want is insecure?
The rest due to incompetent web developers who have no clue how to build secure web apps.
No, really? (Score:5, Funny)
Banks are still using "secret questions" and claiming that's a kind of two-factor authentication. Someone I know was once told by Citi something to the effect of "well, click on the links in the email, and if it gets you to a site with our logo, then it was from us."
And honestly, social engineering is still a huge and very easy target.
Re: (Score:2)
Some banks in switzerland actually sign their emails using S/MIME...
Re:No, really? (Score:5, Informative)
You've been modded funny, but it's more +1 Insightful, -2 Depressing.
I've had several calls from my bank that basically go like this:
GB: "Hello, I'm calling from Generic Bank regarding your account, in order to verify your identity as the account holder can I ask you to confirm your name, date of birth and account number please?"
MN: "Sure"
GB: "..."
MN: "Well are you going to tell me?"
GB: "Sorry sir, you need to tell me that information"
MN: "And how do I know you're not a scammer?"
GB: "Because I'm calling from Generic Bank"
MN: "I'm not going to give any information to an unsolicited caller asking me for my bank details. Are you going to tell me what this call is about?"
GB: "I'm afraid I can only do that with the verified account holder"
MN: "And who is that?"
GB: "I'm afraid I can't tell you until you tell me, but I can assure you I am calling from Generic Bank"
MN: "And I can assure you I didn't take a shit in your cornflakes but that doesn't necessarily make it true, does it?"
*click*
Yes, these calls really were from the bank because every time this happens I walk into a branch and ask a) why I was called and b) why they still haven't fixed this utterly moronic behaviour. Don't even get me started on the almost complete and utter lack of two-factor auth for online banking as well as the utterly ridiculous password requirements. About 5 years back my bank said I could have a current account with an RSA key... the catch was it had to have at least £50,000 in it. I think it's only within the last year or so they've brought in two-factor auth for us mere peons, and yet you're apparently still able to reset your account with "security questions". When I tried to set answers that were purposefully incorrect (e.g. for "memorable place" you might choose to give "Marvin's turgid bowling average") I was told I wasn't allowed to do that so I cancelled the whole process. Asinine.
I haven't given the name of my bank, because they all seem equally shitty in this regard.
Re: (Score:2)
You can have incorrect answer, but still relevant to what they are looking for.
For example:
Mothers Maiden: McDonald -- It's actual smith*
First Car: Royals Royce
and so on
*l, not my moms actual maiden name.
Re: (Score:2)
If the security questions were the result of an actual desire or intent for security (rather than just more theater) they wouldn't severely restrict the keyspace like that.
Give me a break. (Score:3, Informative)
He's keynoting at a major security vendor conference. Having done so myself, the goal and focus is ALWAYS to spread FUD to sell software and services. This industry survives off of fear mongering. That's not to say there aren't problems, but when you're paid tens/hundreds of thousands of dollars to keynote on behalf of a vendor, you generally have an unwritten agreement to paint the most dramatic picture possible.
Re: (Score:2)
Since he is/was a big swinging dick in the NSA - why wasn't he on a constant road show to said Fortune 100 companies to talk to them about how they can improve their security? After all, the NSA must be the national authority on the subject, no?
Oh yeah... it was because he was far to busy fucking the people over to worry about maybe helping anyone out.
Re: (Score:2)
Actually yes. the NSA will work with some corporations with their security.
I would like to remind you, and others, what the NSA did was legal. Talk to congress about that, it's their fault.
Re: (Score:2)
No, it wasn't legal. It may have been willfully overlooked, but it wasn't legal.
Just because we call them 'lawmakers' doesn't mean they can just make up anything they like and have it be an actual law. For example, if it violates the Constitution, then it is not actually a law. Note that law enforcement and the courts will treat it as a law unless you can get the SCOTUS to declare it unconstitutional, but that doesn't change the fact that it never was a law.
If hacking were legal... (Score:2)
Specific and immediate threats? (Score:3)
Chase those, and you're in a never-ending cycle of reaction because you were so thrilled by the drama of firefighting that you left yourself exposed to the next specific and immediate threat.
Try to cover broad classes of threat, and you'll get some actual preventive value from your expenditures.
Re: (Score:2)
c'mon, this guy works for the Chertoff group - Chertoff is most infamous for the pornoscanner scam which did squat for security but violated the rights of people in America by the millions. We'd expect his employees to be of the same ilk.
With Windows Backdoored, What's the Point? (Score:5, Interesting)
There's no real cost for coporate security failure (Score:4, Interesting)
Four letters say it all: EULA. You can sell software that bricks a piece of hardware, and the worst you'll have to do is refund the purchase price. Most of the time, all you have to do is issue a credit, so the customer/sucker gives you more money.
Someone breaks into a server farm and steals credit card info and passwords that are stored in a non-encrypted format? Just send out a warning. It's not like you can get sued or anything.
Big defense contractors are leaking classified information like a sieve. It's so bad that the US President had to whine to the Chinese President about cyber spying industrial espionage. Has any defense contractor lost a contract or been fined for these screw ups? Of course not.
Heck, there were images this week from an exposition of Chinese built unmanned aircraft in Beijing, and they had a Predator drone! Not just a look alike, it had the same mounting for the optical sensor pod on the bulging nose, chines, V-tail, etc. It would be completely unsurprised if they stole the plans. Apparently they have the plans for all our major weapons systems. It save then vast effort in R&D, and they can build counter measures that they know will work. If there were any fines or actions against any corporations it was not reported anywhere.
So given that there's no down side to committing corporate software fraud, why is anyone surprised that security is a complete joke.
Security is possible, but you must focus. (Score:4, Informative)
I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.
The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.
Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.
But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ [sans.org] While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:
Critical Control 1: Unity of Vision
Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?
Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:
Critical Control 3: Enable a Better Future
This control assumes that our actions affect the future. Do your actions enable a more secure future?
The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php [sans.org] The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?
Re: (Score:2)
A. How does your organization create a sense of community? Foreign spying, domestic protection.
F. How does your institution reward long term loyalty? Further education, wages, medals, new projects, global insight.
Where NSA came unstuck was hiring very smart, loyal people and telling them its all "foreign" with huge domestic security protections. Reality sets in and talented staff feel used.
A. How do you increase the cost of attack? The main idea was huge electric fences and SUV's packed w
Re: (Score:2)
Re: (Score:2)
the biggest problems in academia range from "we have open policies", to political problems.
Universities should have open policies. That's what universities are there for: the open exchange of information. IT's job is to make technology available, not unavailable, even if unavailable is more secure.
Re: (Score:2)
Re: (Score:2)
Quite frankly, most companies without IP or corporate secrets to protect simply don't care all that much. We'll take some basic precautions but GOOD security is just not worth the hassle, nor is there that much to l
Re: (Score:2)
This is a really important thing for co-author of the USA Patriot Act to hear.
Former NSA Honcho Calls IT Sec. "Appalling"... (Score:3)
pot calling kettle (Score:4, Insightful)
Is this the same company that employed Edward Snowden as a sysadmin, allowed him to elevate his authority and then download documents that he was not supposed to... So Prescott Winter was CTO and was finally responsible for internal IT security. Talk about a pot calling a kettle.....
True or not best to shout this guy down (Score:2)
Frankly given all the revelations about NSA spying the biggest threat to security is clearly the government itself, but what will inevitably come out of public figures saying stuff like this is an attempt to regulate PRIVATE IT infrustrucute, which we know the NSA will use to Blackdoor us all.
This is why we need to not give the FEDs the microphone. We should continue to disinvite them from conferences and trade shows. We all need to stop going to infra guard and stop taking NIST seriously. Write you congr
big surprise (Score:3)
Who would have thought?
Aside from everyone working in IT security. Or everyone working in IT. Or everyone with 3 working brain cells. So, basically, everyone except middle management.
What I've seen in IT security in most companies is pretty pathetic. They would fall to the first dedicated attacker. And, indeed, reports like the yearly Verizon report show that they do.
But here's the catch: A company is by definition an entity that exists for the sole purpose of making money. As long as the damage from security incidents is lower than the cost to reduce them, it is actually the correct business decision to not improve security. If you view security without risk management, you are a fanatic.
Re: (Score:2)
"A company is by definition an entity that exists for the sole purpose of making money."
wrong.
A company is a group of people. You can have a company of soldier, a company of people to sell products(make money), a company of people trying to feed the homeless.
You should actually look up the definition of things you say '.. is by definition'
Re: (Score:2)
You should actually look up the definition of things you say '.. is by definition'
Thanks for looking that up for me. While you were at it, please look up the word "context". Anyone whose life consists of more than living out xkcd 386 [xkcd.com] understood easily enough that a company of soldiers is unlikely to have an IT security department, and that while the company of a beautiful member of the opposite (or same, whatever your preference is) sex may be a fantastic way to spend the evening, it is unlikely to entail general issues of information security. As such, even Cyc [wikipedia.org] would have correctly calc
specific and immediate threats (Score:2)
By "specific and immediate threats", I suppose he means the NSA itself?
Some exceptions... (Score:3)
Re: (Score:2)
Security is always a balance (Score:2)
I can't think of anyone I know who would ever claim their environment was secure, whether I've worked Wall Street, health insurance, defense contractors or any other type of organization that might be typically portrayed as secure. All of these environments have professionals, and all of them are painfully aware of the holes in the system and would fix them if they had the resources. The hard reality is that security costs money and good security costs even more money. Security also has a habit of impeding
Big cheap companies, i.e. most of them (Score:2)
That Guy's Just Saying The Obvious (Score:2)
Wasn't it just last year that SONY kept gettin' hacked for stupid security? And they weren't the only ones. Just a couple years ago, PC Pro had an article called "Is This The Golden Age of Hacking? [pcpro.co.uk]". Last year, Ars Technica had an article "Why passwords have never been weaker—and crackers have never been stronger [arstechnica.com]". The state of security on the internet is appalling & that was well known before Snowden woke people up with more facts about the appalling nature of internet security.
Michael Chertoff is Scum (Score:2)
What else is the Chertoff Group famous for? Millimeter wave scanners at airports and all the FUD surrounding that program.
Chertoff profits every time the government and public has a knee jerk reaction to some ambig
The first thing to know about security is that (Score:2)
There is no such thing as security. Only mitigation of risk to an acceptable level.
The second thing to keep in mind is that, in these corporations, all goals are skewed towards short term performance and the executives milking out as much cash for themselves as possible.
If putting off the investment in security this year gets them a bonus this year then who cares what happens next year?
Until CIO CEO it'll never change (Score:2)
Until IT staff have the same power and ability to lean back on a state license like an engineer or architect and say "no" to dangerous, illegal, or just plain stupid demands from end user, management, and shareholders, this will not change.
Re: (Score:2)
is this a funny? like some keebler elves showing up to clean things up without telling everybody? or sellthe exploits???
Re: (Score:2)
Re: (Score:2)
Gov't: Court should not allow disclosure
http://www.myfoxaustin.com/story/23591839/govt-court-should-not-allow-disclosure [myfoxaustin.com]
The NSL aspects, PR and global branding is getting costly and a bit Kafkaesque.
Re: (Score:2)
There isn't unlimited risk though. If a user is going to win a lawsuit, they have to show their data was leaked because of your negligence, not just bad luck. As long as you follow enough "industry best practices" (obvious shit like "have a firewall" and "don't give employees admin rights") to appear non-negligent to a jury of techno-illiterate old folks, you'll be fine.
Re: (Score:2)
Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` (Score:5, Insightful)
It seems we are taking the position of a man who was part of an active and systematic attack on the security of network infrastructure through planned back dooring, lowering of quality of encryption systems, and intentional hacking?
Really? its the corps fault they are not secure, considering what the NSA has been up to?
Perhaps they should have spent 10% of the effort on informing corps of the holes they found instead of just squirreling them away i the grab bag of dirty tricks.
If suddenly matters so much, then please, make public the details of ALL known security holes, and inform all victims of the backdooring done to their systems..
No? Thought not..
So if Snowden can get at the NSA (Score:3)
Re: (Score:3)
A FSIC judge used that blame-the-victim security logic according to a new interview with Lavabit's ex-owner [arstechnica.com] at Ars Technica, even though the judge wasn't sure if "unencrypted" is even a real word:
[Levison] continued to resist, arguing that by handing over the key, he would be compromising the security of all users. In an August 1 hearing, Judge Claude Hilton said that it was effectively Levison's fault that sites have only a single private SSL key.
"You're blaming the government for something that's overbroad, but it seems to me that your client is the one that set up the system that's designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another," the judge asked Levison's attorney, Jesse Binnall. "And to say you can't do that just because you've set up a system that ...has to be unencrypted, if there's such a word, that doesn't seem to me to be a very persuasive argument."
[sarcasm]Yeah, nothing wrong with being so over-intrusive since it's not like the guy really tried to make it secure...[/sarcasm]
Re: (Score:2)
Really? its the corps fault they are not secure, considering what the NSA has been up to?
Yes, it is.
Oh, the NSA likely would have gotten in anyway, but that's no excuse for the generally lousy state of security in big corporations. I spend 15 years as a security consultant, working with all sorts of big companies -- especially banks, who you'd expect to have reasonable security -- and "appalling" is the word I use also. I once worked with one bank that did a billion dollars a day in wire transfers over an unauthenticated, unencrypted FTP connection. Seriously. The transport was a leased line
Re: (Score:2)
Anyone who was smart enough to understand history, their internal networks, links to outside networks and had a basic level of curiosity would have been aware.
To counter that:
You have a mortgage, student loans, taxes, a growing family, real advancement opportunities