Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Lost in the Noise Expand / Collapse
Author
Message
Posted Monday, August 26, 2013 8:37 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:38 PM
Points: 31,368, Visits: 15,834
Comments posted to this topic are about the item Lost in the Noise






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1488525
Posted Tuesday, August 27, 2013 4:45 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Thursday, December 11, 2014 5:47 AM
Points: 68, Visits: 452
Maybe a honeypot will attract outsiders, but it will not save you from insiders compromising your security. IMHO if organisations will use honeypots and decoys on a larger scale, some hackers will soon develop tools to distinguish those IP-adresses from 'the real things' and distribute those tools among their community members. Since none of us wants to pay more than absolutely necessary and security is costly, any organisations will cut on security and leave it to the bare minimum that is required by law. As long as a security measure (for example, an extra guard) delivers more than it costs (less shop lifting) those measures will be taken, but don't expect anything more in a world based on profit and loss. Why should a hospital invest in extra security measures on the access to their patient files, while making them accessable from nearly anywhere could save them traveling costs? Did you ask them how they secure your file before you went to a doctor? Did you ask the water plant what measures they have taken to ensure that their plant is not vulnerable to an attack from the internet? As long as people do not ask these questions, companies will not profit from security measures, leaving no reason to implement additional security measures. Yes, they do talk about it, but when they find out how much effort it rquires to embed security into their daily operations, it ends up at the bottom of the list. But of course that is only my humble opinion ...
Post #1488668
Posted Tuesday, August 27, 2013 5:17 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, August 27, 2013 4:57 AM
Points: 28, Visits: 124
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?
Post #1488682
Posted Tuesday, August 27, 2013 5:43 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Thursday, December 11, 2014 5:47 AM
Points: 68, Visits: 452
David Lean (8/27/2013)
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.


David, I do agree with you on the other points you've made in your comment. But from my experience as a professional developer, programmer, DBA and BI consultant I can tell you that it requires more than good templates to build fast and secure applications. Even so, many poorly build applications ended up this way because the companies that made them relied more on tools and templates than on the programming skills of their employees. Good developers must be payed likewise, good tools seems to be a lot cheaper, but no tool can protect you from the mistakes of inexperienced developers.

In most cases there is a trade-off between speed and security. Secure code needs to perform more checks, and code running in a secured environment will always be slower than 'unsafe' code. But security is not just build in the applications we use. It is also in the way we work with these applications, the places where we have access to these applications and many other factors that are outside the reach of the application or its developers. If a company decides to hand out the administrator password to every employee to avoid the 'overhead' of setting up roles and user groups, one can blame neither the application nor the developer for the lack of security.
Post #1488692
Posted Tuesday, August 27, 2013 6:45 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:37 PM
Points: 351, Visits: 316
David Lean (8/27/2013)
Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?


That is exactly the decision Sony made when they where hacked. It was costly, but not as costly as not reporting it, not fixing the problem, and letting people find out afterwards.
Post #1488724
Posted Tuesday, August 27, 2013 6:54 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:37 PM
Points: 351, Visits: 316
Placing any part of our crucial Infrastructure on the public internet is begging for them to be hacked, destroyed, or owned over that connection.
Security is cheap and easy when compared to the cost of a failure of these systems. It might be inconvenient to make physical contact with these system or connect them on a private network. How inconvenient is it when they are hacked?
It almost seems that all this was done just so we could waste money undoing it.
Post #1488732
Posted Tuesday, August 27, 2013 6:55 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Tuesday, December 16, 2014 12:11 PM
Points: 771, Visits: 1,971
I would bet that at this moment, some people are honeypotting the NSA to see what tools/approaches they are using

...

-- FORTRAN manual for Xerox Computers --
Post #1488733
Posted Tuesday, August 27, 2013 7:29 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:38 PM
Points: 31,368, Visits: 15,834
David Lean (8/27/2013)
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?


Perhaps. I'd think that the honeypots could change just as the attackers change.

The idea isn't just to have them attack a fake system, but also to learn about how they attack (and from where). The honeypots can also draw off the "Script kiddie" attacks. Those not made with targeted intent of achieving anything other than vandalism.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1488760
Posted Tuesday, August 27, 2013 9:36 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 12:50 PM
Points: 2,500, Visits: 1,586
Just a general question about this. If someone hacks or attempts to hack a fake or valid site and they are identified as real and are known by IP or otherwise, is it legal to retaliate as a means to protect your assets. Use to be said that the best defense is a strong offence, is that valid or legal in the IT world today?

If we just smile and spend another xxx billion dollars a year to protect ourselves across the entire industry passing that increased cost on time after time to the consumers could bankrupt some companies and cause online things just to cost too much to operate. Now I know that is in part what some would like to do, so why have we not taken them on, besides attempting to take them to court?

Just wondering!


Not all gray hairs are Dinosaurs!
Post #1488837
Posted Tuesday, August 27, 2013 9:37 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: 2 days ago @ 1:21 PM
Points: 229, Visits: 650
@steve Jones wrote:

It's scary to think how the world may change when any individual, as well as any country, could attack our digital systems. It means security is more and more important all the time.

It makes me wonder if the game is always worth the candle. When do we actually need automation and digital systems? Are we automating for automation's sake? Would analogue technologies or even manual processes be more appropriate?

I'm not advocating we go back to the Eisenhower era, but perhaps we should at least occassonally rethink our (over?)reliance upon digital technology.
Post #1488839
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse