WE NEED SECURITY PROS ZOMGWTFBBQ

wintermute000 · April 22, 2015, 06:55:36 AM

Quote from: that1guy15 on April 17, 2015, 01:07:56 PM
From what I have experienced, security will always be second (or lower) priority to business. So a perfectly good security plan will always be screwed up by management. Then when something happens you and your team are to blame since you wear the security badge. Nope, no thanks

Yep that about sums it up. Expediency wins every time, until there is a breach, then its security's fault.

Also yeah the mundane side of it is mind numbingly tedious, not to mention exasperating to explain to n00bs (I recall having a long argument with an HP offshore team because they didn't understand the concept of stateful firewalls and kept wanting return ports explicitly opened up, even when i pointed out that the return packet's destination port would not use the 'application port'... even after telling them to google sockets ).

You can't pay me to go over to Sec and believe me recruiters try all the time. Its this CCNP Sec that I've pretty much half forgotten.....

Fred · April 23, 2015, 08:01:09 PM

Quote from: hizzo3 on April 20, 2015, 08:05:06 PMhttp://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4
I'm sure that is the same argument used in this instance. How much can they still make money before they bring down a plane full of people or cargo plane in a city.
A lot of risk management is intangible that still must be factored somehow.

Yep. You have to figure out a way to apply figures to those intangibles. In generally, I find the more intangible, the more the likelihood drops. And I suspect from your article, that the $91,000 they had to pay probably reinforced their decision rather than changing the equation.

Quote from: that1guy15From what I have experienced, security will always be second (or lower) priority to business.

Is the suggestion that security should be the #1 priority to business?

deanwebb · April 27, 2015, 11:56:55 AM

Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.

Lost 100 million accounts? Thank goodness we got 700 million more... but if a hacker shuts down a critical router, it's basically an RMA for a resolution. When a security breach leads to loss of life or destruction of facilities, then it's no longer just a money cost to fix things. Stuxnet has been that threat for Iranian nuclear research facilities, but not much of a news item elsewhere. Even if it's because other Stuxnet is kept hush-hush, then the perception is generally that it's not an issue.

Hit government facilities or specific targets such as power stations or dams, then it's seen as an issue only for those sectors.

If malware could actually transfer ownership of a company from a group of shareholders to an anonymous foreign identity, basically pulling off a *corporate* identity theft, then security would move to a #1 spot. I suppose other death knells would be a hijacking of the purchasing invoice system, sending out orders to a zillion vendors all at once. If vendors are part of the scam, then they would demand payment or file a suit claiming the company is in default on its obligations, which would create a credit nightmare for that firm, and that can shut its doors. The "vendors" would exist not to do business, but to be shell companies to participate in the takedown of a rival.

config t · April 28, 2015, 02:08:40 AM

Did you see the article about being able to hack into a plane while it's in flight? That's not scary at all

http://www.dailymail.co.uk/news/article-3046272/Security-Researcher-banned-United-flight-tweeted-systems-hacked.html

deanwebb · April 28, 2015, 09:36:08 AM

That's the sort of thing that, for now, stays academic. Honestly, why a nutcase extremist organization hasn't taken to stuff like this absolutely amazes me.

Consider: this guy was known only because he tweeted about it. Imagine if [DISCUSSION OF CLANDESTINE CRIMINAL ACTIVITY - I self-edited this - but it's quite ingenious if I say so myself], well that creates a huge safety concern that could be a signal of a very rough time for that airline.

What to do with that information for the hacking group attacking the airline is then their next question. If they want to take credit, then they should also publish how they did it so that all airlines around the world are faced with either instantly securing all their flight systems or banning use of all electric devices - employing EM sweepers to see if any are on. Even a shielded device would reveal itself with wireless communications, so that would be highly effective. It would also be highly annoying. Recall that smoking wasn't banned on flights until after computers made an entrance... so imagine NYC-LA six-hour flights with no smoking and no electronic devices... inflight entertainment would have to be kept shut off so that the EM sweeper could make proper report of threats. No texting on the tarmac, either. You get to use your device once you're in the airport, not a minute sooner.

If the group does not take credit, then they can keep doing those kinds of moves until caught. Then, do as above. Big reveal, neener neener neener, airline industry takes a huge whack.

At any rate, devices are made to work, not to be secure. That is a huge hole and it will bit us hard in the backside one day when someone figures out exactly what to do with that hole.

Perhaps the hacking money is better in organized crime, which has an interest in keeping hosts alive while they leech profits off of them.

One thing that bothers me in general about airport security is how [ANOTHER DISCUSSION OF CRIMINAL ACTIVITY, THIS TIME OVERT]. I mean, all a group of guys has to do is [CONTINUED DISCUSSION OF CRIMINAL ACTS] and then every flight at that airport would be grounded, all because of a couple of guys in pickup trucks with [ILLEGAL STUFF HERE, TOO]. Conversely, a guy could show up with [I REALLY SHOULD STOP DISCUSSING CRIMINAL ACTIVITY IF I DON'T WANT TO WIND UP BANNING MYSELF] and that's all she wrote for the [REALLY SHOULDN'T MENTION THIS PART, EITHER].

I leave unsaid things that could threaten forum members' security clearances, but I make redacted reference to them to show that there is a huge difference between actual security and security theater - acts that are done to make us think we're secure. I once entered the Holocaust Museum in Paris and faced a security check way more stringent than any airport screening. That was some serious business security. I know that many companies probably go for the appearance of security first and then worry about spending enough for actual security as an afterthought.

Fred · April 28, 2015, 10:38:46 PM

Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.

And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.

Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.

hizzo3 · April 29, 2015, 03:56:34 PM

Companies have already looked into an purchased a variety of cyber policies.

routerdork · April 30, 2015, 09:03:11 AM

Quote from: hizzo3 on April 29, 2015, 03:56:34 PM
Companies have already looked into an purchased a variety of cyber policies.

This should be moved to the joke thread.

Otanx · April 30, 2015, 09:43:56 AM

Quote from: Fred on April 28, 2015, 10:38:46 PM
Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.

Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.

I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that? The only thing I can come up with is cyber insurance, or regulation. Cyber insurance just helps in part of the cost to business, and as the cyber insurance industry grows the insurance companies are going to require some level of security and audits which will actually help secure companies. Regulation or laws on limiting liability that companies face because of a breach also only cover part of the cost. You still have the loss of reputation, etc. which will lead to loss of customers.

On your second paragraph I agree detection and response is the important part, and prevention can never be perfect. However, prevention should not be ignored. You still need to patch known vulnerabilities, encrypt data at rest, and in transit, two factor authentication, etc. To get better at detection and response however there needs to be sharing of data. If company A gets hit by an attack the detection gets easier if they tell companies B, C, and D how the attack happened. Right now there is no incentive for company A to release that information. Especially if companies B, C, and D are competitors. That just gives them an advantage over company A, and so it is actually in the best interest of company A to not share that data, and hope the other companies get hit, and also have to pay for the cost of recovery. I am not even getting into the weeds and talk about the lack of a good framework on sharing threat information that could be used to automate detection/response.

-Otanx

NetworkGroover · April 30, 2015, 10:30:56 AM

Quote from: Otanx on April 30, 2015, 09:43:56 AM
Quote from: Fred on April 28, 2015, 10:38:46 PM
Quote from: deanwebb on April 27, 2015, 11:56:55 AM
Until a time arrives when a security breach is no longer a cost for a business, but a game-ender for a business, security will take a back seat.
And I honestly see it going the other way. We are going to make it so that security breaches aren't as big a cost for business, and security will take a further backseat.

Make it traceable and retractable. It almost is already. A huge amount of fraudulent transactions are currently stopped before anybody has actually gained anything. This is what's going to get stronger: detection and response. Prevention is a loser's game: the good guys have to plug every hole, while the bad guys only have to find one. To stop this, we need to have recourse after the bad guys found it.

I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that? The only thing I can come up with is cyber insurance, or regulation. Cyber insurance just helps in part of the cost to business, and as the cyber insurance industry grows the insurance companies are going to require some level of security and audits which will actually help secure companies. Regulation or laws on limiting liability that companies face because of a breach also only cover part of the cost. You still have the loss of reputation, etc. which will lead to loss of customers.

On your second paragraph I agree detection and response is the important part, and prevention can never be perfect. However, prevention should not be ignored. You still need to patch known vulnerabilities, encrypt data at rest, and in transit, two factor authentication, etc. To get better at detection and response however there needs to be sharing of data. If company A gets hit by an attack the detection gets easier if they tell companies B, C, and D how the attack happened. Right now there is no incentive for company A to release that information. Especially if companies B, C, and D are competitors. That just gives them an advantage over company A, and so it is actually in the best interest of company A to not share that data, and hope the other companies get hit, and also have to pay for the cost of recovery. I am not even getting into the weeds and talk about the lack of a good framework on sharing threat information that could be used to automate detection/response.

-Otanx

Cyber insurance... sounds like you just came up with a new business!

Otanx · April 30, 2015, 11:09:23 AM

Quote from: AspiringNetworker on April 30, 2015, 10:30:56 AM
Cyber insurance... sounds like you just came up with a new business!

I wish. It has been around for a few years. It got a big boost after the Target, Home Depot, Sony, etc. breaches.

-Otanx

Fred · April 30, 2015, 09:17:45 PM

Quote from: Otanx on April 30, 2015, 09:43:56 AM
I am not sure what you mean by "make it so that security breaches aren't as big a cost for business" how do you do that?

What if we could find ways to make sure that the person who uses a credit card can be affirmatively identified? Then it doesn't matter who steals my credit card, that person is going to be caught. This would also make the stolen credit card worthless. That's another tough and expensive problem, but it may be an easier and cheaper one than preventing every possible method by which a credit card could be stolen.

deanwebb · May 01, 2015, 09:47:27 AM

Even if there's full validation of who is the right person to use the card, card readers can be hacked to have more than one reading "bump" in them, with the second reader leeching power from the main device and sending info to a Raspberry Pi box on the local guest network.

PROTIP: Before you run your card through a self-swipe scanner, make sure there's only one bump in the card reading slot. If there's more than one, you just saw something, so say something.

deanwebb · May 05, 2015, 08:25:44 AM

Back on topic, we *still* need people to fill in security roles. While I like to think of security as a good entry-level opportunity for people I know that are getting started in networking, I'm not thrilled that security roles are going to be going to lots of entry-level people for some time to come. I know that's the only way to get seasoned professionals, if they start somewhere, but that's just it. There's either a vacancy or a new kid in a lot of security roles, and that means there are lots of firms out there that are getting compromised good and hard. I just hope I don't do business with them... but I probably do...

Otanx · May 05, 2015, 10:56:23 AM

It is going to be hard for a few years on the security front. There are a few ways to handle this. One is to train from the ground up. This is the longest path, but probably the easiest. There are a lot of new IT guys who want to do security because it is seen as a high paying growth sector of IT. You just have to weed out the ones who are not really interested, and just want a pay check. The speed of change in security is too fast for the 9 to 5 guy to keep up with. If you don't want to learn off the clock you will fall behind. Another way to address the shortage is to get seasoned IT guys who want to move to security. They can have any background, network, systems, DBA, anything. Give them some training on security, and adjust how they think from "make it work" to "make it secure". Of course these guys will want bigger pay checks, and changing the mind set of working over security may be hard. However, this lets you jump over the entry level, and get some mid range security pros quickly. The real answer is a mix of both of those, and probably other methods I have not even thought of.

-Otanx