tag:blogger.com,1999:blog-37798047.post7457144210232806279..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Take a bow everybody, the security industry really failed this timeDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-37798047.post-28799492882084567672011-07-15T03:49:23.239-04:002011-07-15T03:49:23.239-04:00Would it be reasonable for IT security professiona...Would it be reasonable for IT security professionals to form a professional society with (at the minimum) a code of ethics?<br /><br />Could you get (or form) something like the Underwriters Laboratories to vet security products/procedures?<br /><br />Should IT security be completely re-thought from the ground up?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-38640268807466212222011-07-06T22:21:37.357-04:002011-07-06T22:21:37.357-04:00Great post David, but I respectfully disagree with...Great post David, but I respectfully disagree with your conclusion. shortened link with my rationale: http://wp.me/p1pasm-IAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-55535012519342315862011-06-30T14:32:46.259-04:002011-06-30T14:32:46.259-04:00You’re absolutely right, any security system that ...You’re absolutely right, any security system that relies on users to make good security decisions is bound to fail. Regularly educating employees on their company's security policies and best practices is just as important as have the right technology in place. Throwing money at the problem won't work. My company, Symantec, works with our customers’ CISOs, internal IT staff and channel partners to help them do a better job communicating the need to foster a culture of security with everyone in the company. <br /><br />From a technology perspective, enabling organizations to make and enforce security policies based on real data is critical to helping employees avoid making innocent – yet costly – mistakes. For example, establishing a policy that prevents users in finance with sensitive data from installing software unless it has a good security rating and is known to be used by at least 10,000 people for at least 3 months. Providing application control, malware detection and network access control based on the experience of hundreds of millions of systems is more effective than relying on blacklisting and whitelisting technologies alone.Pamela Reesehttps://www.blogger.com/profile/06645585393383439894noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80522354447621932742011-06-30T14:32:09.005-04:002011-06-30T14:32:09.005-04:00You’re absolutely right, any security system that ...You’re absolutely right, any security system that relies on users to make good security decisions is bound to fail. Regularly educating employees on their company's security policies and best practices is just as important as have the right technology in place. Throwing money at the problem won't work. My company, Symantec, works with our customers’ CISOs, internal IT staff and channel partners to help them do a better job communicating the need to foster a culture of security with everyone in the company. <br /><br />From a technology perspective, enabling organizations to make and enforce security policies based on real data is critical to helping employees avoid making innocent – yet costly – mistakes. For example, establishing a policy that prevents users in finance with sensitive data from installing software unless it has a good security rating and is known to be used by at least 10,000 people for at least 3 months. Providing application control, malware detection and network access control based on the experience of hundreds of millions of systems is more effective than relying on blacklisting and whitelisting technologies alone.Pamela Reesehttps://www.blogger.com/profile/06645585393383439894noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-1490530503804613092011-06-30T10:17:47.563-04:002011-06-30T10:17:47.563-04:00Dude you really need an editor/proofreader. There&...Dude you really need an editor/proofreader. There's a boatload of crap there that didn't make sense.Anonymoushttps://www.blogger.com/profile/03498087878134113709noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-72965761937971236002011-06-30T10:06:44.531-04:002011-06-30T10:06:44.531-04:00One important thing to remember is that the bad gu...One important thing to remember is that the bad guys only have to be right once and they have the keys to the kingdom. Internal corporate security has to be good enough to be right a large enough majority of the time to offset that.mharrisonhttps://www.blogger.com/profile/08435273883585898743noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-19958352640593760882011-06-28T22:25:56.101-04:002011-06-28T22:25:56.101-04:00Another slightly less showy solution for physical ...Another slightly less showy solution for physical penetration: put a smart phone and a spare battery in a cargo envelope. FedEx it to someone on vacation inside the facility. Track it using GPS, when it's there connect to the system via cell network, turn on the wifi and fire up a VPN. Poof, and not nearly as obvious as a parachute!<br /><br />MinDalehttps://www.blogger.com/profile/17704268420981282672noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-71253015842109649592011-06-28T17:41:21.040-04:002011-06-28T17:41:21.040-04:00It is not that I disagree with what you say it is ...It is not that I disagree with what you say it is only the context in which you write, the latest script kiddie group intent on changing the world.<br /><br />Sites that had done the basics correctly would have had nothing to fear from LulzSec. They have mostly used SQL injection attacks (via the infamous Persian carrot) that any decent penetration tester should have found. <br /><br />Sure they own a few routers for cloaking purposes and bouncing but in the end what they did, was simple stuff and, that only makes it worse.<br /><br />Even if you widen the context and look at CitiBank and Sony, once again - simple attacks, requiring little skill. It is frankly amazing that people in the security arena (and I do not mean you), continue to act as if something surprising or earth shattering has happened.<br /><br />Do the simple things right and you can start concentrating on the nasty stuff - which is (with or without tooling) difficult to defend against.OziWanhttps://www.blogger.com/profile/02508550492748359125noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-9870778687660469542011-06-28T08:42:24.336-04:002011-06-28T08:42:24.336-04:00I agree with you 100% Dave. It's about time s...I agree with you 100% Dave. It's about time someone spoke up about the inadequate Information Security within A LOT of organizations.<br /><br />I've seen Information Security improve 10-fold since I first used my 300-baud modem to call 1-800 numbers and simply type: operator / operator or root / root<br /><br />But even with such improvements (policies, technology, tools, etc.), there are still many organizations with networks that have TOO much accept risk.<br /><br />Why? Various reasons... Lack of understanding their true risk acceptance; lack of money; lack of expertise, etc. The list goes on..ReverendTurnerhttps://www.blogger.com/profile/18325340061321446724noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-38146423720730354012011-06-27T17:25:16.267-04:002011-06-27T17:25:16.267-04:00I would disagree slightly ... I think the fault st...I would disagree slightly ... I think the fault starts with the IT organizations inability to understand how significant the network is and how important it is to staff competent network engineers. 99.9% of the corporations I've dealt with did not staff a network engineer ... relied on their stand IT folks to deal with network issues, had leadership whose own lack of networking knowledge lead to the disgraceful state of their networks.Bleenqhttps://www.blogger.com/profile/11198231171979305456noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-77366736084663276422011-06-27T15:46:47.597-04:002011-06-27T15:46:47.597-04:00Yes, if more money is going to be spent -- it'...Yes, if more money is going to be spent -- it's going to be on the new-whiz-bang product that "prevents all LulzSec and Anonymous hacks 100 percent of the time". In reality, these magic silver bullets will actually create new problems that reduce security -- the effects of which will probably be recognized anywhere from 3-12 years from now.<br /><br />Also -- a free (especially illegal) penetration-test is always a bad penetration-test for both parties involved. It's especially bad for the penetration-tester when he or she gets entangled in the legal system related to criminal charges. It's also bad for the target when the target's general counsel gets entangled in the legal system related to data breach exposure. Even if neither party has any legal issues directly to attend to, they certainly will be spending time preparing to NOT have legal problems, which basically surmounts to legal problems.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com