December 14, 2013 at 11:31 am
Comments posted to this topic are about the item Encrypt Everything
December 14, 2013 at 3:03 pm
I absolutely agree with the concept of encrypting everything in transit but...
Why does it seem that it always comes back to this recent bloody NSA thing? Where the hell have people been? It's not likely that organizations like the NSA are going to do anything with your data that would actually cause harm to the company (well, unless the company is doing something illegal). What people SHOULD be concerned about is ANYONE getting their data and if they're just now coming around to that fact, then they're several decades behind what should have been on their agenda all along.
As a bit of a sidebar, this is yet another reason why I prefer local physical hardware as opposed to using cloud services.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 16, 2013 at 4:52 am
To many applications still have SA rights with an easily guessed password. So encryption doesnt really help much other than the backup files now needing a certificate for the restore. These same companies still dont believe in encrypting data like bank account information, personal/customer personal data. Just waiting for the UK media to have afield day.
I have worked in too many places where the IT staff let alone the Business believe that an NDA will be adequate in protecting all of their data.
December 16, 2013 at 4:54 am
Jeff Moden (12/14/2013) ......
As a bit of a sidebar, this is yet another reason why I prefer local physical hardware as opposed to using cloud services.
A bit tongue in cheek: Why would any one at a cloud provider want to look at your data.
More seriously though, at least you can do a proper audit with local storage.
December 16, 2013 at 6:28 am
If business managers invested in security and training, we would have security and training. Until then, they are enjoy their bonuses and wondering what us nerds and geeks are worried about.
December 16, 2013 at 7:19 am
I think it is fair to point out that Microsoft just stated they will start encrypting, Google just stated they would a couple weeks ago. All of the major players knew this was an issue years ago, and ignored the risk.
Our organization is starting to require SSL on all web traffic, whether internal or external. It will take a couple years to get there, but in the end it will be an improvement. Thick client apps are not in scope for this change.
The media and the government continuously talk about how the biggest threat is internal, but I disagree. Our own government is arguably the worst as they are violating our own constitution! This is followed by intrusion attempts from china and other countries, and I believe individual attacks from external resources are next. Employee threats exist, but if you count the group of employees who are foreign nationals in the "country" group, I think that threat is relatively small.
My point - encrypt everything external first, and worry about internal risks once that is somewhat taken care of. Those companies that can do both at the same time should consider it.
Dave
December 16, 2013 at 7:26 am
Jeff Moden (12/14/2013)
I absolutely agree with the concept of encrypting everything in transit but...Why does it seem that it always comes back to this recent bloody NSA thing? Where the hell have people been? It's not likely that organizations like the NSA are going to do anything with your data that would actually cause harm to the company (well, unless the company is doing something illegal).
The NSA is a government agency. Government agencies answer to the president and congress. The current administration has used the IRS to attack the Tea Party, previous administrations on both sides have used the IRS and other agencies to attack their enemies.
Companies get attacked frequently because of the political opinions of the owners or management. I do not believe that it is at all a stretch to say that various administrations in the past, and certainly the future, have and will use anything they can to silence opposition. The NSA has ADMITTED it is using personal preferences such as sexual orientation, sexual habits and other data to attack the leaders of various organizations. How long before they use that information to attack CEOs? I would bet it is already happening.
I respect your opinion on this, and I would hope you are correct that the likelihood is low, but recent evidence indicates you may not be.
Dave
December 16, 2013 at 8:20 am
Yet Another DBA (12/16/2013)
A bit tongue in cheek: Why would any one at a cloud provider want to look at your data.
It's not anyone, but a particular person. If I suspect you are storing credit cards, or I want to know your sales data, and it's valuable enough, trying to get an employee to siphon off or look at data (for $$) is a valid way of criminally attacking your data.
Or perhaps I see if the cloud company really separates out VLANs or do they have shared LANs I can sniff?
Encryption certainly slows things down.
December 16, 2013 at 8:25 am
djackson 22568 (12/16/2013)
Companies get attacked frequently because of the political opinions of the owners or management. I do not believe that it is at all a stretch to say that various administrations in the past, and certainly the future, have and will use anything they can to silence opposition. The NSA has ADMITTED it is using personal preferences such as sexual orientation, sexual habits and other data to attack the leaders of various organizations. How long before they use that information to attack CEOs? I would bet it is already happening.
I respect your opinion on this, and I would hope you are correct that the likelihood is low, but recent evidence indicates you may not be.
I'm not sure I am quite as concerned here as Mr. Jackson, but I also do think that information gets leaked. CEOs are friends, or potential employers, of people working at the NSA. They (NSA or government employees) might be willing to share confidential information that gets them a job, bonus, etc. I don't think it's some global conspiracy or consistent set of actions that occurs constantly, but I do think it can happen. It's human nature.
However, I agree with Jeff that it's not something that just started. This type of espionage has been happening with corporations, foreign governments, and likely our own, for a long time.
December 16, 2013 at 8:33 am
Pick on South Carolina. The South Carolina Department of Revenue didn't encrypt the Social Security Numbers of taxpayers who filed electronic tax returns. Whoops! Now hackers have 6 million Social Security Numbers when they hacked into the computer systems.
December 16, 2013 at 8:42 am
Ralph Hightower (12/16/2013)
Pick on South Carolina. The South Carolina Department of Revenue didn't encrypt the Social Security Numbers of taxpayers who filed electronic tax returns. Whoops! Now hackers have 6 million Social Security Numbers when they hacked into the computer systems.
You could substitute pretty much anything for "South Carolina" and "South Carolina Department of Revenue".
I am not knowledgeable enough to consider myself a cracker (true term for what the media calls hacker, all of us are hackers), but even I can break into a huge percentage of systems. Take anyone with minimal skills, or anyone willing to download automated tools, and the vast majority of systems are at risk.
As I see it, there are at least a couple viewpoints we need to have.
1) We all need to do a better job securing our data and our infrastructures
2) Independent hackers, not affiliated with any country, are a significant threat that we need to protect ourselves against, and we need to stop assuming we have nothing they want
3) Countries are also attacking us, not just the US and china, but all of them
An interesting article I read this weekend explained how one state (Louisiana?) is suing IBM for its involvement with the NSA. Lawyers always find a way to include more and more entities in lawsuits in order to maximize their profits. This is just the tip of the iceberg. I find it ironic that a government is suing a company due to their involvement wiht the government.
Dave
December 16, 2013 at 8:53 am
If Snowden's leaks are to be believed, the NSA pressured encryption providers to provide some sort of access to them. In addition, a handful of encrypted services providers (http://rt.com/usa/cryptoseal-vpn-close-grant-nsa-521/ , for example) opted to close their doors rather than comply with the NSA.
I don't expect the djinn to make it back to the bottle. 🙁
That said, I applaud the efforts of the companies that have announced they will add more encryption.
Andy
Andy Leonard, Chief Data Engineer, Enterprise Data & Analytics
December 16, 2013 at 9:16 am
djackson 22568 (12/16/2013)
I am not knowledgeable enough to consider myself a cracker (true term for what the media calls hacker, all of us are hackers), but even I can break into a huge percentage of systems. Take anyone with minimal skills, or anyone willing to download automated tools, and the vast majority of systems are at risk.
Try "System" and "Manager" on Oracle systems. Works like "sa" and "" on many SQL Server systems.
December 16, 2013 at 9:58 am
Steve, Nice word and the point of view is excellent. If we cannot protect "data at rest" we should at least protect the "data in motion". As you say it would be great to do both, and we should depending on the classification of the data being used. But there is even a fallacy in that. Our systems often do not know the difference between the data classification of each transaction, so it is far better to protect it all, just in case a programmer/analyst/developer/architect makes a mistake.
I cannot say that encryption covers a multitude of IT sins or errors, but every tool and strategy we can deploy to thwart the "enemy" we should.
Nice one!
Miles...
Not all gray hairs are Dinosaurs!
December 24, 2013 at 1:09 am
No-one can help but see things from their perspective and, therefore, we have seen a very US-centric point of view on this i.e. the US Government targets US citizens, the US Government targets US corporations, foreign governments target US citizens, foreign governments target US corporations, foreign governments target US individuals etc.
The reality has been that a lot of governments around the world, a lot of organised crime syndicates around the world, a lot of corporations around the world, a lot of private collectives around the world and a lot of individuals around the world have been hacking governments from around the world, corporations from around the world and a lot of individuals from around the world. Ask Angela Merkel :Whistling:
I think that a politician from Portugal said it best when he said that the US Government was only doing what all governments would do given the same amount of funding.
I accept that it is most likely that the Chinese government and Chinese corporations are hacking US targets (I haven't seen the proof myself but I am prepared to take the reports at face value) but I bet that those Chinese Government and corporations are being hacked by the US too.
Also, I wonder if Chinese corporations have better practices to protect themselves from their own Government?
BTW I have no axe to grind. I am from the UK whose government also indulges in such practices 😉
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply