We Don't Care about Data and IT Security

  • Old Hand - unfortunately that attitude is more prevalent than people think. Also the silly belief that "We have a firewall and AV running, we're good." Like neither of those have been by-passed numerous times before.

    It all comes down to money unfortunately, the large companies don't care about the small fines they get and the govt. agencies don't care to enforce the regulations because the people they are enforcing them on are their largest contributors to their campaigns.

    Another huge reason to this issue and why it won't be corrected is people's complacency. People don't want to spend the extra 10 -15 minutes setting up their machine with extra users who aren't admins and using those accounts instead of the default "Owner" account that most personal PCs come with. We all have run into either friends or family members who bank on-line, pay all their bills on-line and then admit the run their machine as an Admin with no updated AV (it slows down my machine to much) let alone a firewall (what's that and is it important) because it's just easier not to bother learning even a little about how to keep yourself safe.

    If we really want this to start changing then get it into the schools (grade schools where computer learning starts now a day) and start explaining to the kids why this is important and that even a basic understanding will help. Instead it's just here is a Word Processing program, here's the internet and how to use search, and maybe if their lucky why you shouldn't talk to strangers on line.

  • jay-h (8/11/2014)


    ... As long as banks and retailers cover costs, people aren't going to change (is this a good thing or a bad thing?)

    It is a bad thing as we all need to be a bit vigilant. Social awareness and social responsibility seems to be very low on peoples' radars in the current blame culture. People always have looked for gaps in systems. Always leaving people totally off the hook will lead to bigger problems and a populace who think that it is NEVER their problem and not only will someone else clear it up but also pick up the tab.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Business is all about money. If the cost of added security to make us all feel better outweighs the feeling we get from the quarterly earnings statement and, as the article implies, few people really do care, then we are obligated as servants of the business we service as IT professionals to honor their choice and not worry too much about security. Having said that, if you are the IT director and your contract has you personally responsible for security, which sometimes happens, then your contract is at odds with the larger business goals and you have a serious problem. I don't have an answer for that scenario, but I do know if the CEO doesn't value security, then no one else will, either.

  • venoym (8/11/2014)


    I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.

    It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.

    K. Brian Kelley
    @kbriankelley

  • bkbettis (8/11/2014)


    Business is all about money. If the cost of added security to make us all feel better outweighs the feeling we get from the quarterly earnings statement and, as the article implies, few people really do care, then we are obligated as servants of the business we service as IT professionals to honor their choice and not worry too much about security. Having said that, if you are the IT director and your contract has you personally responsible for security, which sometimes happens, then your contract is at odds with the larger business goals and you have a serious problem. I don't have an answer for that scenario, but I do know if the CEO doesn't value security, then no one else will, either.

    Fair point.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • JoeS 3024 (8/11/2014)


    If we really want this to start changing then get it into the schools (grade schools where computer learning starts now a day) and start explaining to the kids why this is important and that even a basic understanding will help. Instead it's just here is a Word Processing program, here's the internet and how to use search, and maybe if their lucky why you shouldn't talk to strangers on line.

    We can't even decide on the standards of education our children should be expected to meet - the basic stuff school should provide like reading, math, history, writing, etc. Just look at the fight over Common Core here in the USA. I'm not taking sides for or against. I'm rather pointing out how staunchly those sides are fighting each other.

    So I don't see this being a fruitful approach any time in the near future.

    K. Brian Kelley
    @kbriankelley

  • K. Brian Kelley (8/11/2014)


    JoeS 3024 (8/11/2014)


    If we really want this to start changing then get it into the schools (grade schools where computer learning starts now a day) and start explaining to the kids why this is important and that even a basic understanding will help. Instead it's just here is a Word Processing program, here's the internet and how to use search, and maybe if their lucky why you shouldn't talk to strangers on line.

    We can't even decide on the standards of education our children should be expected to meet - the basic stuff school should provide like reading, math, history, writing, etc. Just look at the fight over Common Core here in the USA. I'm not taking sides for or against. I'm rather pointing out how staunchly those sides are fighting each other.

    So I don't see this being a fruitful approach any time in the near future.

    Same here in the UK. Even when it does get decided there are then so many opt outs of various bits that there still is no true core.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.

    The impression I get is that SQL Server is considered more secure than Oracle by most security experts. Thanks to Microsoft for keeping the surface area tight, and deprecating hackable features that have since been replaced with more evolved and secure options. Deprecation is a good thing in my opinion.

    At one point a few years back, I was almost forced, due to circumstances within the organization, to become an Oracle DBA. In the process of reading and getting up to speed on Oracle 11g, I was baffled by all the tecno-trivia that had to be learned in order to maintain an database. The problem is that Oracle has to maintain backward compatibility to the 1980's in addition to cross-compatibility with multiple operating system platforms, so it has a lot more "junk in it's trunk".

    Not only does Oracle have a lot more potential holes to exploit, but my impression is that the average Oracle DBA isn't as familiar with their own platform as the average SQL Server DBA, simply because they have so much more territory to cover. The SQL Server platform itself it smarter, so the DBA in this realm doesn't have to be an OS / command shell / networking expert just to perform their daily job.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (8/11/2014)


    Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.

    At one point a few years back, I was almost forced, due to circumstances within the organization, to become an Oracle DBA. In the process of reading and getting up to speed on Oracle 11g, I was baffled by all the tecno-trivia that had to be learned in order to maintain an database. The problem is that Oracle has to maintain backward compatibility to the 1980's in addition to cross-compatibility with multiple operating system platforms, so it has a lot more "junk in it's trunk".

    It's worse than that. From a couple of years ago. Note that Litchfield beat vulnerabilities supposedly patched and fixed:

    Black Hat 2012: David Litchfield slams Oracle database indexing

    K. Brian Kelley
    @kbriankelley

  • Eric M Russell (8/11/2014)


    Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.

    The impression I get is that SQL Server is considered more secure than Oracle by most security experts. Thanks to Microsoft for keeping the surface area tight, and deprecating hackable features that have since been replaced with more evolved and secure options. Deprecation is a good thing in my opinion.

    At one point a few years back, I was almost forced, due to circumstances within the organization, to become an Oracle DBA. In the process of reading and getting up to speed on Oracle 11g, I was baffled by all the tecno-trivia that had to be learned in order to maintain an database. The problem is that Oracle has to maintain backward compatibility to the 1980's in addition to cross-compatibility with multiple operating system platforms, so it has a lot more "junk in it's trunk".

    Not only does Oracle have a lot more potential holes to exploit, but my impression is that the average Oracle DBA isn't as familiar with their own platform as the average SQL Server DBA, simply because they have so much more territory to cover. The SQL Server platform itself it smarter, so the DBA in this realm doesn't have to be an OS / command shell / networking expert just to perform their daily job.

    I hate just getting a connection from a development tool. You just have to...oh no there's that to do too...now just one last flaming hoop!!!

    EDIT: Classic post after page refresh but before quote button hit error!!!

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • The points about Education and Core garbage is right, there is a lot of fighting and unnecessary stuff going on about that. Which is why it's a joke people say they're all for education, if so, stop the garbage around it.

    My point was really, if we don't start at a young age setting good examples then why do we even think this issue will ever go away. Pushing it off because of all the other stuff going on around education is just the same response we are doing now, push it down the road and let someone else take care of it. At some point a stand has to be made, when do we really want to put the effort into making that stand. That is the question.

  • Gary Varga (8/11/2014)


    Eric M Russell (8/11/2014)


    Microsoft, after taking some hits for their "insecure by default" configurations and applications, tightened things up greatly. It caused project time lines to be extended and delayed shipping on some releases. I think, though, we're glad Microsoft did.

    The impression I get is that SQL Server is considered more secure than Oracle by most security experts. Thanks to Microsoft for keeping the surface area tight, and deprecating hackable features that have since been replaced with more evolved and secure options. Deprecation is a good thing in my opinion.

    At one point a few years back, I was almost forced, due to circumstances within the organization, to become an Oracle DBA. In the process of reading and getting up to speed on Oracle 11g, I was baffled by all the tecno-trivia that had to be learned in order to maintain an database. The problem is that Oracle has to maintain backward compatibility to the 1980's in addition to cross-compatibility with multiple operating system platforms, so it has a lot more "junk in it's trunk".

    Not only does Oracle have a lot more potential holes to exploit, but my impression is that the average Oracle DBA isn't as familiar with their own platform as the average SQL Server DBA, simply because they have so much more territory to cover. The SQL Server platform itself it smarter, so the DBA in this realm doesn't have to be an OS / command shell / networking expert just to perform their daily job.

    I hate just getting a connection from a development tool. You just have to...oh no there's that to do too...now just one last flaming hoop!!!

    EDIT: Classic post after page refresh but before quote button hit error!!!

    I'm having some difficulty parsing what you just said. What's this about connecting from development tools and flaming hoops? 🙂

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • JoeS 3024 (8/11/2014)


    The points about Education and Core garbage is right, there is a lot of fighting and unnecessary stuff going on about that. Which is why it's a joke people say they're all for education, if so, stop the garbage around it.

    My point was really, if we don't start at a young age setting good examples then why do we even think this issue will ever go away. Pushing it off because of all the other stuff going on around education is just the same response we are doing now, push it down the road and let someone else take care of it. At some point a stand has to be made, when do we really want to put the effort into making that stand. That is the question.

    No one is saying to push it off. I think if you could get it into the schools it would make the most impact. This is the best strategic place for it. However, I know that despite our best efforts on the security awareness side, we're not going to be able to get it into the schools. Therefore, if we're going to take a stand, it's not there. There it's wasted effort.

    And I will point out that it doesn't matter what studies you bring. It really doesn't. There are lots of studies about how recess helps learning, about how music furthers other skills, about how handwriting [especially cursive] helps with language processing. Yet those things are being phased out. So if you can't get traditional stuff to stick and you can't get anyone to listen to what our research is telling us, you aren't going to get security awareness in the curriculum.

    So I don't think trying to get it into our schools is an effective approach.

    K. Brian Kelley
    @kbriankelley

  • Lets just go back to everything being paper based. IT security issues resolved 🙂

  • The Fault (8/11/2014)


    Lets just go back to everything being paper based. IT security issues resolved 🙂

    Back to the photocopier being the biggest security risk?

    ...or cameras?

    ...or unlocked drawers?

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 15 posts - 16 through 30 (of 57 total)

You must be logged in to reply to this topic. Login to reply