Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Lost in the Noise


Lost in the Noise

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36302 Visits: 18752
Comments posted to this topic are about the item Lost in the Noise

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
vliet
vliet
SSC Journeyman
SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)

Group: General Forum Members
Points: 98 Visits: 730
Maybe a honeypot will attract outsiders, but it will not save you from insiders compromising your security. IMHO if organisations will use honeypots and decoys on a larger scale, some hackers will soon develop tools to distinguish those IP-adresses from 'the real things' and distribute those tools among their community members. Since none of us wants to pay more than absolutely necessary and security is costly, any organisations will cut on security and leave it to the bare minimum that is required by law. As long as a security measure (for example, an extra guard) delivers more than it costs (less shop lifting) those measures will be taken, but don't expect anything more in a world based on profit and loss. Why should a hospital invest in extra security measures on the access to their patient files, while making them accessable from nearly anywhere could save them traveling costs? Did you ask them how they secure your file before you went to a doctor? Did you ask the water plant what measures they have taken to ensure that their plant is not vulnerable to an attack from the internet? As long as people do not ask these questions, companies will not profit from security measures, leaving no reason to implement additional security measures. Yes, they do talk about it, but when they find out how much effort it rquires to embed security into their daily operations, it ends up at the bottom of the list. But of course that is only my humble opinion ...
David Lean
David Lean
SSC Rookie
SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)

Group: General Forum Members
Points: 42 Visits: 129
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?
vliet
vliet
SSC Journeyman
SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)SSC Journeyman (98 reputation)

Group: General Forum Members
Points: 98 Visits: 730
David Lean (8/27/2013)
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.


David, I do agree with you on the other points you've made in your comment. But from my experience as a professional developer, programmer, DBA and BI consultant I can tell you that it requires more than good templates to build fast and secure applications. Even so, many poorly build applications ended up this way because the companies that made them relied more on tools and templates than on the programming skills of their employees. Good developers must be payed likewise, good tools seems to be a lot cheaper, but no tool can protect you from the mistakes of inexperienced developers.

In most cases there is a trade-off between speed and security. Secure code needs to perform more checks, and code running in a secured environment will always be slower than 'unsafe' code. But security is not just build in the applications we use. It is also in the way we work with these applications, the places where we have access to these applications and many other factors that are outside the reach of the application or its developers. If a company decides to hand out the administrator password to every employee to avoid the 'overhead' of setting up roles and user groups, one can blame neither the application nor the developer for the lack of security.
PHYData DBA
PHYData DBA
Mr or Mrs. 500
Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)

Group: General Forum Members
Points: 562 Visits: 533
David Lean (8/27/2013)
Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?


That is exactly the decision Sony made when they where hacked. It was costly, but not as costly as not reporting it, not fixing the problem, and letting people find out afterwards.
PHYData DBA
PHYData DBA
Mr or Mrs. 500
Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)Mr or Mrs. 500 (562 reputation)

Group: General Forum Members
Points: 562 Visits: 533
Placing any part of our crucial Infrastructure on the public internet is begging for them to be hacked, destroyed, or owned over that connection.
Security is cheap and easy when compared to the cost of a failure of these systems. It might be inconvenient to make physical contact with these system or connect them on a private network. How inconvenient is it when they are hacked?
It almost seems that all this was done just so we could waste money undoing it.
jay-h
jay-h
SSC Eights!
SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)

Group: General Forum Members
Points: 931 Visits: 2222
I would bet that at this moment, some people are honeypotting the NSA to see what tools/approaches they are using

...

-- FORTRAN manual for Xerox Computers --
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36302 Visits: 18752
David Lean (8/27/2013)
1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.
That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?


Perhaps. I'd think that the honeypots could change just as the attackers change.

The idea isn't just to have them attack a fake system, but also to learn about how they attack (and from where). The honeypots can also draw off the "Script kiddie" attacks. Those not made with targeted intent of achieving anything other than vandalism.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Miles Neale
Miles Neale
SSCrazy
SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)

Group: General Forum Members
Points: 2678 Visits: 1694
Just a general question about this. If someone hacks or attempts to hack a fake or valid site and they are identified as real and are known by IP or otherwise, is it legal to retaliate as a means to protect your assets. Use to be said that the best defense is a strong offence, is that valid or legal in the IT world today?

If we just smile and spend another xxx billion dollars a year to protect ourselves across the entire industry passing that increased cost on time after time to the consumers could bankrupt some companies and cause online things just to cost too much to operate. Now I know that is in part what some would like to do, so why have we not taken them on, besides attempting to take them to court?

Just wondering!

Not all gray hairs are Dinosaurs!
GoofyGuy
GoofyGuy
SSC-Addicted
SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)SSC-Addicted (421 reputation)

Group: General Forum Members
Points: 421 Visits: 971
@steve Jones wrote:

It's scary to think how the world may change when any individual, as well as any country, could attack our digital systems. It means security is more and more important all the time.

It makes me wonder if the game is always worth the candle. When do we actually need automation and digital systems? Are we automating for automation's sake? Would analogue technologies or even manual processes be more appropriate?

I'm not advocating we go back to the Eisenhower era, but perhaps we should at least occassonally rethink our (over?)reliance upon digital technology.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search