October 30, 2014 at 9:04 am
I don't know how our profession will move forward in the future to meet these needs. Perhaps we'll become bonded like locksmiths. Perhaps we'll be bound by insurance requirements to adhere to best practices. I'm not sure any of that will help increase security ...
'Computer security' is becoming an oxymoron like 'jumbo shrimp' and 'business ethics'.
As IT professionals, we shall do our best, of course, but we are essentially in a reactive position. The lock-pickers always have the initiative, always are a step ahead. We 'white hats' pick up the pieces and learn the lessons after the fact. We shut the barn door after the horses have been made off with, and secure it with a newer and hopefully better padlock - only to find out later the bad guys have found yet another way into the barn.
As a private citizen, I'm actively considering doing away with my credit and debit cards, and indeed with all but the most indispensable forms of electronic banking and fiscal transacting.
A small stack of banknotes might suffice instead.
October 30, 2014 at 9:54 am
Eric M Russell (10/30/2014)
The impression I get is that most of these hacks targeting big retailers are actually not database penetrations. Malware gets installed on the Point Of Sale terminals, which then skims data from credit card transactions. There are also cases where hackers sniff unencrypted wifi network traffic from POS terminals. Corporate headquarters can lock down their database servers, but sensitive data originates at 100s of local retail outlets which perhaps arn't following the corporation's own security policies when it comes to how the computer equipment is configured or used. I mean, how does malware end up on a POS terminal? Are employees browsing the web on their POS in between customers?
Often this has been because the POS terminals have a network link to other servers and devices.
Not many are database penetrations, but certainly there are some of these not related to the POS stuff. The question is, would you know if you've been hacked?
October 30, 2014 at 9:56 am
Megistal (10/30/2014)
But I would take a chance and say "The price is not yet enough to enforce good practices". In others words, chance that something will not happen vs amount of money to cover it if it does.
I tend to agree. Not sure I like your suggestions, but you're spot on. Not enough of a penalty to reduce this dramatically.
October 30, 2014 at 9:57 am
Robert.Sterbal (10/30/2014)
While most illicit drug users are otherwise law abiding citizen's there is ample evidence that taking illegal drugs increase your risk of financial criminal activity since the dealers don't fill your demand for their product for free.
I'm not sure there is ample evidence here. Plenty of people use drugs that manage their finances and function at a high level in society.
The financial distress is often the key here. It has nothing to do with drugs as people that spend more than they make, regardless of on what, are creating risk of committing theft.
October 30, 2014 at 9:58 am
As IT professionals, we shall do our best, of course, but we are essentially in a reactive position.
We could use programming languages to build our operating systems that are not subject to buffer overflows and microprocessors that are not suspect to stack smashing, but the industry has adapted to: "Worse is Better" so C, C++, Intel and browser based applications won...
October 30, 2014 at 10:01 am
I'm not sure there is ample evidence here. Plenty of people use drugs that manage their finances and function at a high level in society.
Says the guy that lives in the "Mile High State"... 😛
October 30, 2014 at 10:03 am
chrisn-585491 (10/30/2014)
As IT professionals, we shall do our best, of course, but we are essentially in a reactive position.
We could use programming languages to build our operating systems that are not subject to buffer overflows and microprocessors that are not suspect to stack smashing, but the industry has adapted to: "Worse is Better" so C, C++, Intel and browser based applications won...
Good suggestions all; these would represent security improvements and make life more challenging for the 'black hats'.
However, even 'more secure' operating systems such as Linux have exploitable vulnerabilities. We are engaged in a constant evolutionary 'predator/prey' race, in which there is no finish line.
October 30, 2014 at 10:12 am
However, even 'more secure' operating systems such as Linux have exploitable vulnerabilities. We are engaged in a constant evolutionary 'predator/prey' race, in which there is no finish line.
I disagree. And Linux isn't more secure than Windows. (OpenBSD might be...)
I don't think commercial software has tried. The current infrastructure is built on the sand of mutual trust/ease of use, not security. There's a ton of easy fruit for the black hat to pick up.
October 30, 2014 at 10:18 am
chrisn-585491 (10/30/2014)
I'm not sure there is ample evidence here. Plenty of people use drugs that manage their finances and function at a high level in society.
Says the guy that lives in the "Mile High State"... 😛
http://time.com/money/3312312/castle-rock-colorado-best-places-to-live/
October 30, 2014 at 10:19 am
chrisn-585491 (10/30/2014)
However, even 'more secure' operating systems such as Linux have exploitable vulnerabilities. We are engaged in a constant evolutionary 'predator/prey' race, in which there is no finish line.
I disagree. And Linux isn't more secure than Windows. (OpenBSD might be...)
I don't think commercial software has tried. The current infrastructure is built on the sand of mutual trust/ease of use, not security. There's a ton of easy fruit for the black hat to pick up.
+1
And there's incentives to attack certain platforms more as they're used more.
October 30, 2014 at 10:22 am
As a DBA we are kind of the last line of defense unfortunately.
All of the issues that happen, especially as of late (subscribe to Krebs on Security) are usually not the fault of the DBA.
What about externally facing firewalls, SSL, secure web sites, Intrusion Detection systems and patching ? (yes, ZERO day things still exist). All of these items are way, way before a database gets hit.
As it is currently most employers do some 'due dilligence' with background checks.
The licensing and bonding thing sounds good on the surface but will in all lieklyhood never be implemented due to costs that must be incurred by the employing organization. If it were cheap, it would have happened a couple of decades ago.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
October 30, 2014 at 10:22 am
The question is, would you know if you've been hacked?
If we can define what exactly it means to be "hacked", then we can successfully guard against it and detect it when it happens.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 30, 2014 at 10:39 am
http://time.com/money/3312312/castle-rock-colorado-best-places-to-live/
If I could relocate from the MetroMess here in North Texas to the mountains, I would. Unfortunately my spouse has a better job than I...
October 30, 2014 at 10:52 am
Begin Rant!
I guess I have a different take on this. We appear to be operating under a broken understanding of crime and punishment. We look at it this way "The hacker does the crime and the company and its IT staff get the punishment."
We have listened too long to the excuses. Stuff like "there are no international agreements in place to ..." "It is too hard to track who is doing this..." "We are able to track this only to an account in the Caymine Islands..." Well instead of punishing the person in the company who is trying to do their job, or the company who has such a tight profit margin that if they buy much more IT Security they will go broke, or castigating businesses for not taking care of things we trust them with, why can't we go find the criminals and freeze or take their assets, put them out of business, and give them a very long all expenses paid vacation on the state?
We should be finding the criminals and punishing them, and not find the working IT person and end their life and career.
End Rant.
Not all gray hairs are Dinosaurs!
October 30, 2014 at 10:57 am
Me: However, even 'more secure' operating systems such as Linux have exploitable vulnerabilities.
ChrisN: I disagree. And Linux isn't more secure than Windows. (OpenBSD might be...)
The reason more secure was placed in quotes is to emphasise the fact Linux is not terribly more secure than Windows - despite frequent claims to the contrary by Linux aficionados.
Americans have many positive qualities, but a sense of irony doesn't seem to be amongst them. 😉
Viewing 15 posts - 16 through 30 (of 62 total)
You must be logged in to reply to this topic. Login to reply