Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

We Don't Care about Data and IT Security Expand / Collapse
Author
Message
Posted Monday, August 11, 2014 6:55 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, September 15, 2014 8:57 AM
Points: 6,634, Visits: 1,872
chrisn-585491 (8/11/2014)
It doesn't help if a DBA or developer cares about security, if their boss and the rest of the org table doesn't. It's time for the C-levels to actually earn their pay and make security a priority.

Target? Their previous CIO was a marketing wiz, not a IT professional. If they had put the effort into security that they did into marketing analytics, they wouldn't have had the issues that vexed them last year.


Here's what's killer to us in Info Sec. Target *did* invest. Target had the latest and greatest from FireEye. AND IT WORKED. The system alerted the technical staff about the deployment of the malware. Somebody in the chain chose to ignore those alerts.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1601831
Posted Monday, August 11, 2014 6:55 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Today @ 7:00 AM
Points: 418, Visits: 2,447
Gary Varga (8/11/2014)
patrickmcginnis59 10839 (8/11/2014)
GilaMonster (8/11/2014)
I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

My solution is super easy, I set all files and directories to allow read / write access to everyone and remove all passwords, this makes unauthorized access impossible!


Isn't that like making one's life so unenviable so they can only make it better?


Not me, I'm living the thug life!!!

I had a boss once who I admired and learned from, but she did have a pretty big security misconception, that we wouldn't get cracked because "we didn't have anything they wanted", despite having a nice big internet connection and plenty of servers running. I think we all (hopefully) realise that being another host to launch attacks from isn't that bad a catch either from the crackers point of view.
Post #1601832
Posted Monday, August 11, 2014 6:57 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:33 AM
Points: 5,418, Visits: 3,145
K. Brian Kelley (8/11/2014)
.... Somebody in the chain chose to ignore those alerts.


Speechless.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1601833
Posted Monday, August 11, 2014 7:27 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 4:43 AM
Points: 1,032, Visits: 1,696
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied. However, if the company stops doing security at the point of the Data Diode, yes you are vulnerable. However! Stuxnet is proof both that Air-Gaps work and that you can get around them. Stuxnet had a variety of 0 day vulnerabilities that were exploited. Including the payload that targeted specific Siemens systems. The damage and spread could have been much worse without the air-gaps that existed in the Nuclear facility. But, it also showed that overly trusting anything can lead to infection.

Like everything in Cyber Security. Defense in Depth is a must. You have to do all levels to have security. Malware Scanning, Heuristics, Best Practices, and yes, Data Diodes/Air-Gaps for super critical systems (Like Nuclear Reactor Control/Shutdown systems). In many cases, SCADA should remain Analog or have Analog backup to the Digital side to ensure that you can bring the system to a safe state.


As a disclaimer, I'm in Nuclear.
Post #1601856
Posted Monday, August 11, 2014 7:30 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Tuesday, September 2, 2014 8:37 AM
Points: 751, Visits: 1,917
Most banks have a policy of pretty much protecting their customers from fraudulent cards. My wife dropped a card and by the time she noticed it a few hours later, there were about $1500 charges. She didn't have to pay a penny. Banks and merchants however feel that the risk of payout for them is worth the increased usage of the cards by customers. In some countries users are much more liable and are a lot more cautious, often avoiding using of cards altogether.

Multiple times over the years my own cards have been reissued with new numbers because of a breach somewhere (they never actually say), not due to lost card on my account. None of this has ever resulted in a cost to me.

Target, too, has stepped to the plate and claims they will bear the brunt of any customer losses.

Under those circumstances, why wouldn't customers decide to go back?

As long as banks and retailers cover costs, people aren't going to change (is this a good thing or a bad thing?)



...

-- FORTRAN manual for Xerox Computers --
Post #1601859
Posted Monday, August 11, 2014 7:38 AM


Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, August 14, 2014 6:21 AM
Points: 13, Visits: 57
Old Hand - unfortunately that attitude is more prevalent than people think. Also the silly belief that "We have a firewall and AV running, we're good." Like neither of those have been by-passed numerous times before.
It all comes down to money unfortunately, the large companies don't care about the small fines they get and the govt. agencies don't care to enforce the regulations because the people they are enforcing them on are their largest contributors to their campaigns.

Another huge reason to this issue and why it won't be corrected is people's complacency. People don't want to spend the extra 10 -15 minutes setting up their machine with extra users who aren't admins and using those accounts instead of the default "Owner" account that most personal PCs come with. We all have run into either friends or family members who bank on-line, pay all their bills on-line and then admit the run their machine as an Admin with no updated AV (it slows down my machine to much) let alone a firewall (what's that and is it important) because it's just easier not to bother learning even a little about how to keep yourself safe.

If we really want this to start changing then get it into the schools (grade schools where computer learning starts now a day) and start explaining to the kids why this is important and that even a basic understanding will help. Instead it's just here is a Word Processing program, here's the internet and how to use search, and maybe if their lucky why you shouldn't talk to strangers on line.
Post #1601864
Posted Monday, August 11, 2014 7:46 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:33 AM
Points: 5,418, Visits: 3,145
jay-h (8/11/2014)
... As long as banks and retailers cover costs, people aren't going to change (is this a good thing or a bad thing?)


It is a bad thing as we all need to be a bit vigilant. Social awareness and social responsibility seems to be very low on peoples' radars in the current blame culture. People always have looked for gaps in systems. Always leaving people totally off the hook will lead to bigger problems and a populace who think that it is NEVER their problem and not only will someone else clear it up but also pick up the tab.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1601869
Posted Monday, August 11, 2014 7:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, September 4, 2014 11:13 AM
Points: 1, Visits: 79
Business is all about money. If the cost of added security to make us all feel better outweighs the feeling we get from the quarterly earnings statement and, as the article implies, few people really do care, then we are obligated as servants of the business we service as IT professionals to honor their choice and not worry too much about security. Having said that, if you are the IT director and your contract has you personally responsible for security, which sometimes happens, then your contract is at odds with the larger business goals and you have a serious problem. I don't have an answer for that scenario, but I do know if the CEO doesn't value security, then no one else will, either.
Post #1601873
Posted Monday, August 11, 2014 8:01 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, September 15, 2014 8:57 AM
Points: 6,634, Visits: 1,872
venoym (8/11/2014)
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.


It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1601880
Posted Monday, August 11, 2014 8:04 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:33 AM
Points: 5,418, Visits: 3,145
bkbettis (8/11/2014)
Business is all about money. If the cost of added security to make us all feel better outweighs the feeling we get from the quarterly earnings statement and, as the article implies, few people really do care, then we are obligated as servants of the business we service as IT professionals to honor their choice and not worry too much about security. Having said that, if you are the IT director and your contract has you personally responsible for security, which sometimes happens, then your contract is at odds with the larger business goals and you have a serious problem. I don't have an answer for that scenario, but I do know if the CEO doesn't value security, then no one else will, either.


Fair point.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1601884
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse