Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««23456

We Don't Care about Data and IT Security Expand / Collapse
Author
Message
Posted Tuesday, August 12, 2014 12:31 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 8:57 AM
Points: 6,634, Visits: 1,872
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1602411
Posted Tuesday, August 12, 2014 4:05 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Today @ 6:30 PM
Points: 8,830, Visits: 9,388
Andrew..Peterson (8/11/2014)
Yes, free market now.
But back in the 1970's, without the limit, the only cards in wide use were American Express and Diner's Club.

That surprises me. Barclaycard was widespread in the UK before 1970; I can't remember what the customer liability limit was, or even if there was a limit, despite having a card back then. There weren't any ATMs that accepted them, though - they had no mag stripe, just embossed details, and could only be where things were sold. They were a lot more popular that Diner's Card or Amex because they they took a smaller cut.


Tom
Post #1602510
Posted Wednesday, August 13, 2014 4:54 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 7:19 AM
Points: 345, Visits: 3,344
jay-h (8/11/2014)
Andrew..Peterson (8/11/2014)
Credit card companies focus on fraud because they have to. A long time ago, a law was passed limiting the card holder's exposure to $50. (thank government regulations - for anyone who is anti-government).


Funny thing, that. Many cards hold the cardholder to zero exposure. This is NOT required by regulation. But competition and the realization that getting the user to carry the card involves allaying fears.

Free market.



Nope, regulation. The regulation has reduced the liability to below the 'hassle threshold'. If liability were unlimited you'd not have them writing off the cash. In fact, if liability were pinned at $5000, or even $1000, they wouldn't, no matter how "competitive" the market cosy oligopoly.
They'd just sell you a useless insurance policy they're almost never going to pay out on "for your peace of mind".


I'm a DBA.
I'm not paid to solve problems. I'm paid to prevent them.
Post #1602647
Posted Wednesday, August 13, 2014 5:11 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 4:37 AM
Points: 1,028, Visits: 1,692
K. Brian Kelley (8/12/2014)
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


In actuality, I don't extend that thinking. The US Nuclear Regulatory Commission does. Regulations stipulate that you can't stop at a Data Diode/Air-Gap, regardless of what your SCADA vendor does. I know for a fact that there are many who think that a Data Diode is the end all, which is wrong headed at best. The simple point that I'm attempting to illustrate is that beating a drum of "Air-Gaps are useless" is just as wrong as relying solely on them, this is what the linked article was about and is what you stated in your editorial. What the mantra of "Air-gaps are failed infosec" will lead to is SCADA systems directly connected to the Internet and highly vulnerable to many 0 day exploits that can cause actual damage to large portions of a country. Simply put, if it is not connected it cannot be remotely controlled! Do you still have to do best practices? YES. You can't disregard that some things NEED to be disconnected. (Think about the Top Secret data/information at the CIA as an example).
Post #1602654
Posted Wednesday, August 13, 2014 11:38 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 8:57 AM
Points: 6,634, Visits: 1,872
venoym (8/13/2014)
K. Brian Kelley (8/12/2014)
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


In actuality, I don't extend that thinking. The US Nuclear Regulatory Commission does. Regulations stipulate that you can't stop at a Data Diode/Air-Gap, regardless of what your SCADA vendor does. I know for a fact that there are many who think that a Data Diode is the end all, which is wrong headed at best. The simple point that I'm attempting to illustrate is that beating a drum of "Air-Gaps are useless" is just as wrong as relying solely on them, this is what the linked article was about and is what you stated in your editorial. What the mantra of "Air-gaps are failed infosec" will lead to is SCADA systems directly connected to the Internet and highly vulnerable to many 0 day exploits that can cause actual damage to large portions of a country. Simply put, if it is not connected it cannot be remotely controlled! Do you still have to do best practices? YES. You can't disregard that some things NEED to be disconnected. (Think about the Top Secret data/information at the CIA as an example).


"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are. And keep in mind that SCADA extends beyond nuclear. Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1602912
Posted Wednesday, August 13, 2014 6:59 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Today @ 6:30 PM
Points: 8,830, Visits: 9,388
K. Brian Kelley (8/13/2014)
"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are.

Yeah, sure, so some people already get it wrong means it's fine to encourage more people to get it wrong, does it?
You may have a valid argument somewhere in this discussion, but that nonsemnsense just lost you all your credibility with me.
And keep in mind that SCADA extends beyond nuclear.
So what? Because SCADA covers more than nuclear we should not bother about SCADA safety for nuclear?
Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?

What thinking is that that you are talking about? You don't appear to want people to understand what you mean. Are you asking whether things appropriate for nuclear are found every time a study is done on non-nuclear? If so, what relevance do you think the answer to that question could imaginably have to whether those things are important to the nuclear case? If not, what on earth does that string of words mean?


Tom
Post #1603072
Posted Thursday, August 14, 2014 6:22 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Yesterday @ 8:57 AM
Points: 6,634, Visits: 1,872
TomThomson (8/13/2014)
K. Brian Kelley (8/13/2014)
"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are.

Yeah, sure, so some people already get it wrong means it's fine to encourage more people to get it wrong, does it?
You may have a valid argument somewhere in this discussion, but that nonsemnsense just lost you all your credibility with me.


The idea that saying "air gaps are failed infosec" isn't what leads folks to connect SCADA systems to the Internet. Connecting any system to the Internet takes time and resources. So why do people do it? For their own convenience. I'm rejecting the notion that saying a statement like this makes people do something that causes themselves more work unless there's another reason. There IS another reason. And folks will go forward with that reason regardless of the risk. We see it outside of SCADA, too.

And keep in mind that SCADA extends beyond nuclear.
So what? Because SCADA covers more than nuclear we should not bother about SCADA safety for nuclear?


I'm not saying that we shouldn't bother about SCADA systems for nuclear. If you go back and read the conversation, my comments are directed towards SCADA as a whole. One subset of the industry's implementation may be relatively secure. But you can't look at that one subset and say the whole industry follows the same pattern. It doesn't. The studies show that SCADA as a whole does not. That's my point.

Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?

What thinking is that that you are talking about? You don't appear to want people to understand what you mean. Are you asking whether things appropriate for nuclear are found every time a study is done on non-nuclear? If so, what relevance do you think the answer to that question could imaginably have to whether those things are important to the nuclear case? If not, what on earth does that string of words mean?


As I said, something is lost if you don't follow the conversation. I'm not saying neglect nuclear. What I've been saying is that nuclear isn't representative of the whole. If nuclear is more secure and believes in more than an air gap/data diode solution, then it's actually an exception when you consider the entire population. It shouldn't be that way, but it is what it is.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1603227
Posted Thursday, August 14, 2014 6:27 AM


Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, August 14, 2014 6:21 AM
Points: 13, Visits: 57
I think we have all gotten off the original topic here which was valid when it started. Security is an issue and the thought concerning it needs to be changed. However there are 2 things that aren't being addressed as this string progresses.

1) You can't make a horse drink once you lead it to water.

2) This is more important, if the current leaders are doing anything about it then stop wondering what could be done and start leading. Start doing anything that gets the message out there; be the change you want to happen instead of wondering when others are going to do it.

My opionion on this.

Post #1603230
« Prev Topic | Next Topic »

Add to briefcase «««23456

Permissions Expand / Collapse