Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


We Don't Care about Data and IT Security


We Don't Care about Data and IT Security

Author
Message
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6832 Visits: 1917
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.

K. Brian Kelley
@‌kbriankelley
TomThomson
TomThomson
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10777 Visits: 12019
Andrew..Peterson (8/11/2014)
Yes, free market now.
But back in the 1970's, without the limit, the only cards in wide use were American Express and Diner's Club.

That surprises me. Barclaycard was widespread in the UK before 1970; I can't remember what the customer liability limit was, or even if there was a limit, despite having a card back then. There weren't any ATMs that accepted them, though - they had no mag stripe, just embossed details, and could only be where things were sold. They were a lot more popular that Diner's Card or Amex because they they took a smaller cut.

Tom

andrew gothard
andrew gothard
Mr or Mrs. 500
Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)Mr or Mrs. 500 (524 reputation)

Group: General Forum Members
Points: 524 Visits: 5536
jay-h (8/11/2014)
Andrew..Peterson (8/11/2014)
Credit card companies focus on fraud because they have to. A long time ago, a law was passed limiting the card holder's exposure to $50. (thank government regulations - for anyone who is anti-government).


Funny thing, that. Many cards hold the cardholder to zero exposure. This is NOT required by regulation. But competition and the realization that getting the user to carry the card involves allaying fears.

Free market.



Nope, regulation. The regulation has reduced the liability to below the 'hassle threshold'. If liability were unlimited you'd not have them writing off the cash. In fact, if liability were pinned at $5000, or even $1000, they wouldn't, no matter how "competitive" the market cosy oligopoly.
They'd just sell you a useless insurance policy they're almost never going to pay out on "for your peace of mind".

I'm a DBA.
I'm not paid to solve problems. I'm paid to prevent them.
venoym
venoym
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1355 Visits: 2082
K. Brian Kelley (8/12/2014)
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


In actuality, I don't extend that thinking. The US Nuclear Regulatory Commission does. Regulations stipulate that you can't stop at a Data Diode/Air-Gap, regardless of what your SCADA vendor does. I know for a fact that there are many who think that a Data Diode is the end all, which is wrong headed at best. The simple point that I'm attempting to illustrate is that beating a drum of "Air-Gaps are useless" is just as wrong as relying solely on them, this is what the linked article was about and is what you stated in your editorial. What the mantra of "Air-gaps are failed infosec" will lead to is SCADA systems directly connected to the Internet and highly vulnerable to many 0 day exploits that can cause actual damage to large portions of a country. Simply put, if it is not connected it cannot be remotely controlled! Do you still have to do best practices? YES. You can't disregard that some things NEED to be disconnected. (Think about the Top Secret data/information at the CIA as an example).
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6832 Visits: 1917
venoym (8/13/2014)
K. Brian Kelley (8/12/2014)
patrickmcginnis59 10839 (8/12/2014)


I know I'm a little slow, but I'm having some difficulty identifying venoym's mistake, from what I've read he's actually talking about required and recommended practices. Could you offer a little help in identifying his actual mistake? Sure would be appreciated!


Venoym believes in defense in depth and not relying on one mechanism to protect your kingdom. This is the best approach. There's nothing wrong here.

Unfortunately, there are too many in the development, implementation, and administration of SCADA software that don't think the same way. They believe that one defense, the air gap/data diode, can protect them from any and all attacks.

Venoym's mistake, at least from what I've seen in the posts, is in thinking that more folks in the industry think like Venoym does. From what I've seen of the SCADA industry, Venoym is the exception, not the rule, when it comes to thinking about security and how to properly apply it.


In actuality, I don't extend that thinking. The US Nuclear Regulatory Commission does. Regulations stipulate that you can't stop at a Data Diode/Air-Gap, regardless of what your SCADA vendor does. I know for a fact that there are many who think that a Data Diode is the end all, which is wrong headed at best. The simple point that I'm attempting to illustrate is that beating a drum of "Air-Gaps are useless" is just as wrong as relying solely on them, this is what the linked article was about and is what you stated in your editorial. What the mantra of "Air-gaps are failed infosec" will lead to is SCADA systems directly connected to the Internet and highly vulnerable to many 0 day exploits that can cause actual damage to large portions of a country. Simply put, if it is not connected it cannot be remotely controlled! Do you still have to do best practices? YES. You can't disregard that some things NEED to be disconnected. (Think about the Top Secret data/information at the CIA as an example).


"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are. And keep in mind that SCADA extends beyond nuclear. Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?

K. Brian Kelley
@‌kbriankelley
TomThomson
TomThomson
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10777 Visits: 12019
K. Brian Kelley (8/13/2014)
"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are.

Yeah, sure, so some people already get it wrong means it's fine to encourage more people to get it wrong, does it?
You may have a valid argument somewhere in this discussion, but that nonsemnsense just lost you all your credibility with me.
And keep in mind that SCADA extends beyond nuclear.
So what? Because SCADA covers more than nuclear we should not bother about SCADA safety for nuclear?
Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?

What thinking is that that you are talking about? You don't appear to want people to understand what you mean. Are you asking whether things appropriate for nuclear are found every time a study is done on non-nuclear? If so, what relevance do you think the answer to that question could imaginably have to whether those things are important to the nuclear case? If not, what on earth does that string of words mean?

Tom

K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6832 Visits: 1917
TomThomson (8/13/2014)
K. Brian Kelley (8/13/2014)
"Air gaps are failed infosec" hasn't led to SCADA systems directly connected to the Internet. That's because there are SCADA systems that already are.

Yeah, sure, so some people already get it wrong means it's fine to encourage more people to get it wrong, does it?
You may have a valid argument somewhere in this discussion, but that nonsemnsense just lost you all your credibility with me.


The idea that saying "air gaps are failed infosec" isn't what leads folks to connect SCADA systems to the Internet. Connecting any system to the Internet takes time and resources. So why do people do it? For their own convenience. I'm rejecting the notion that saying a statement like this makes people do something that causes themselves more work unless there's another reason. There IS another reason. And folks will go forward with that reason regardless of the risk. We see it outside of SCADA, too.

And keep in mind that SCADA extends beyond nuclear.
So what? Because SCADA covers more than nuclear we should not bother about SCADA safety for nuclear?


I'm not saying that we shouldn't bother about SCADA systems for nuclear. If you go back and read the conversation, my comments are directed towards SCADA as a whole. One subset of the industry's implementation may be relatively secure. But you can't look at that one subset and say the whole industry follows the same pattern. It doesn't. The studies show that SCADA as a whole does not. That's my point.

Almost any time someone does a study on SCADA systems, what is found? Are the types of controls you indicate should be in place for nuclear what is found? Is it even close? What leads to that thinking?

What thinking is that that you are talking about? You don't appear to want people to understand what you mean. Are you asking whether things appropriate for nuclear are found every time a study is done on non-nuclear? If so, what relevance do you think the answer to that question could imaginably have to whether those things are important to the nuclear case? If not, what on earth does that string of words mean?


As I said, something is lost if you don't follow the conversation. I'm not saying neglect nuclear. What I've been saying is that nuclear isn't representative of the whole. If nuclear is more secure and believes in more than an air gap/data diode solution, then it's actually an exception when you consider the entire population. It shouldn't be that way, but it is what it is.

K. Brian Kelley
@‌kbriankelley
JoeS 3024
JoeS 3024
Grasshopper
Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)

Group: General Forum Members
Points: 17 Visits: 91
I think we have all gotten off the original topic here which was valid when it started. Security is an issue and the thought concerning it needs to be changed. However there are 2 things that aren't being addressed as this string progresses.

1) You can't make a horse drink once you lead it to water.

2) This is more important, if the current leaders are doing anything about it then stop wondering what could be done and start leading. Start doing anything that gets the message out there; be the change you want to happen instead of wondering when others are going to do it.

My opionion on this.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search