We Don't Care about Data and IT Security

  • Comments posted to this topic are about the item We Don't Care about Data and IT Security

    K. Brian Kelley
    @kbriankelley

  • Back in the C19th they didn't care about clean water and drainage. In fact Joseph Bazellgette was lampooned for suggesting that London needed such things.

    Amazing what rampant Cholera and Typhus can do to change attitudes.

    We haven't had the data equivalent of those diseases but we will do and probably soon. At that point we will learn some very harsh lessons.

    I think those lessons will come when the new memory technology that allows you to have an affordable 16TB rather than an expensive 16GB laptop comes into play. At that point computers will be so powerful that every one becomes a supercomputer. Black hats with their own personal supercomputers. God help us all.

  • I'm not for the Nanny state, over burdensome regulations. If someone wants to get a Darwin award, fine by me.

    But where others get affected then I do see the issues. The ICO in the UK should have teeth and use them and fine companies that allow personal data to be stolen due to their lack securitty. Currently its underfunded and doesn't have a lot of power.

  • I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

    This is someone who is a near full time user of Facebook and G+

    With that kind of attitude, how do you even approach IT security?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Yet Another DBA (8/11/2014)


    I'm not for the Nanny state, over burdensome regulations. If someone wants to get a Darwin award, fine by me.

    But where others get affected then I do see the issues. The ICO in the UK should have teeth and use them and fine companies that allow personal data to be stolen due to their lack securitty. Currently its underfunded and doesn't have a lot of power.

    I have reported incidents to the ICO and, (without truly comparing the misdeeds) like with other crimes, I - the victim - have been treated poorly by those supposed to protect me (among others). Bearing in mind that I have a reasonable amount of knowledge of the ICO, the appropriate laws and the incidents, I have been amazed at the contempt and/or indifference I have faced following reporting them.

    It is no wonder why companies do not take the issue seriously when the enforcement agency's response to issues raised are a joke.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • GilaMonster (8/11/2014)


    I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

    This is someone who is a near full time user of Facebook and G+

    With that kind of attitude, how do you even approach IT security?

    Focus on everyone/anyone else. We all know an ostrich or too.

    I have to say, Gail, that you are showing amazing restraint. I once was fixing a family member's computer when they announced (from a metaphorical soap box) that they didn't use their computer for a particular activity. 20 minutes later I showed them:

      a) that I had fixed their computer
      b) evidence that they had done that "particular activity" the night before

    Was I wrong? Maybe as it wasn't an illegal activity. I did educate them though :laugh:

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • I think that we all need to do better. Microsoft has shown that it could move from the back of the pack and I hope that all leading IT companies will push further ahead.

    We need better practices so we must do them ourselves. We also need support from our tools vendors but it is us who can demand it. I guess we need to highlight this with them and accept that it may make our day job just a little less easy e.g. like losing sa with a blank password - on mass we didn't use it or expect it so it was easier for it to be removed (industry understanding).

    My biggest concerns remain with the content providers like those under the banner of social media e.g. FaceBook. There have been plenty of examples of what I would call "wrong doing" which are sometimes legal but, in my opinion, immoral.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • It doesn't help if a DBA or developer cares about security, if their boss and the rest of the org table doesn't. It's time for the C-levels to actually earn their pay and make security a priority.

    Target? Their previous CIO was a marketing wiz, not a IT professional. If they had put the effort into security that they did into marketing analytics, they wouldn't have had the issues that vexed them last year.

  • GilaMonster (8/11/2014)


    I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

    My solution is super easy, I set all files and directories to allow read / write access to everyone and remove all passwords, this makes unauthorized access impossible!

  • patrickmcginnis59 10839 (8/11/2014)


    GilaMonster (8/11/2014)


    I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

    My solution is super easy, I set all files and directories to allow read / write access to everyone and remove all passwords, this makes unauthorized access impossible!

    Isn't that like making one's life so unenviable so they can only make it better?

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • chrisn-585491 (8/11/2014)


    It doesn't help if a DBA or developer cares about security, if their boss and the rest of the org table doesn't. It's time for the C-levels to actually earn their pay and make security a priority.

    Target? Their previous CIO was a marketing wiz, not a IT professional. If they had put the effort into security that they did into marketing analytics, they wouldn't have had the issues that vexed them last year.

    Here's what's killer to us in Info Sec. Target *did* invest. Target had the latest and greatest from FireEye. AND IT WORKED. The system alerted the technical staff about the deployment of the malware. Somebody in the chain chose to ignore those alerts.

    K. Brian Kelley
    @kbriankelley

  • Gary Varga (8/11/2014)


    patrickmcginnis59 10839 (8/11/2014)


    GilaMonster (8/11/2014)


    I have a friend who is of the opinion that it is impossible for his accounts to be hacked. Not unlikely, not difficult. Flat out impossible. He also says he doesn't care at all if his credit card numbers are stolen, as he'll just cancel the card and get a new one.

    My solution is super easy, I set all files and directories to allow read / write access to everyone and remove all passwords, this makes unauthorized access impossible!

    Isn't that like making one's life so unenviable so they can only make it better?

    Not me, I'm living the thug life!!!

    I had a boss once who I admired and learned from, but she did have a pretty big security misconception, that we wouldn't get cracked because "we didn't have anything they wanted", despite having a nice big internet connection and plenty of servers running. I think we all (hopefully) realise that being another host to launch attacks from isn't that bad a catch either from the crackers point of view.

  • K. Brian Kelley (8/11/2014)


    .... Somebody in the chain chose to ignore those alerts.

    Speechless.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied. However, if the company stops doing security at the point of the Data Diode, yes you are vulnerable. However! Stuxnet is proof both that Air-Gaps work and that you can get around them. Stuxnet had a variety of 0 day vulnerabilities that were exploited. Including the payload that targeted specific Siemens systems. The damage and spread could have been much worse without the air-gaps that existed in the Nuclear facility. But, it also showed that overly trusting anything can lead to infection.

    Like everything in Cyber Security. Defense in Depth is a must. You have to do all levels to have security. Malware Scanning, Heuristics, Best Practices, and yes, Data Diodes/Air-Gaps for super critical systems (Like Nuclear Reactor Control/Shutdown systems). In many cases, SCADA should remain Analog or have Analog backup to the Digital side to ensure that you can bring the system to a safe state.

    As a disclaimer, I'm in Nuclear.

  • Most banks have a policy of pretty much protecting their customers from fraudulent cards. My wife dropped a card and by the time she noticed it a few hours later, there were about $1500 charges. She didn't have to pay a penny. Banks and merchants however feel that the risk of payout for them is worth the increased usage of the cards by customers. In some countries users are much more liable and are a lot more cautious, often avoiding using of cards altogether.

    Multiple times over the years my own cards have been reissued with new numbers because of a breach somewhere (they never actually say), not due to lost card on my account. None of this has ever resulted in a cost to me.

    Target, too, has stepped to the plate and claims they will bear the brunt of any customer losses.

    Under those circumstances, why wouldn't customers decide to go back?

    As long as banks and retailers cover costs, people aren't going to change (is this a good thing or a bad thing?)

    ...

    -- FORTRAN manual for Xerox Computers --

Viewing 15 posts - 1 through 15 (of 56 total)

You must be logged in to reply to this topic. Login to reply