Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Former NSA Honcho Calls Corporate IT Security "Appalling"

samzenpus posted 1 year,22 days | from the is-that-better-than-terrible? dept.

Security 174

Nerval's Lobster writes "Former NSA technology boss Prescott Winter has a word for the kind of security he sees even at large, technologically sophisticated companies: Appalling. Companies large enough to afford good security remain vulnerable to hackers, malware and criminals because they tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats, Winter said during his keynote speech Oct. 1 at the Splunk Worldwide User's Conference in Las Vegas. 'As we look at the situation in the security arena we see an awful lot of big companies – Fortune 100-level companies – with, to be perfectly candid, appalling security. They have fundamentally no idea what they're doing,' Winter said, according to a story in U.K. tech-news site Computing. During almost 28 years at the National Security Agency (NSA), Winter established the spy agency's Technology Directorate and served as the agency's first CTO. He also held positions as the NSA's CIO, its deputy chief of Defensive Information Operations and, oddly, as chief of Customer Response. He is currently managing director of Chertoff Group, the strategic management and security consultancy established by Michael Chertoff, secretary of the Dept. of Homeland Security under Pres. George W. Bush and co-author of the USA Patriot Act."

Sorry! There are no comments related to the filter you selected.

I can confirm this (4, Insightful)

Anonymous Coward | 1 year,22 days | (#45022359)

In companies great and small, a long history of appalling lack of and apathy for security. Goes back 30 years. Unfortunately I have to say so anonymously.

Re:I can confirm this (5, Insightful)

phantomfive (622387) | 1 year,22 days | (#45022393)

In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

Most of them don't. Sometimes the companies that do know just consider it a risk of doing business, easier to pay when things go wrong than to try to secure it. An example of this is credit card companies. Bruce Schenier points out that he would never trust a credit card online because of the security holes, except they promise to reimburse him when things go wrong.

Re:I can confirm this (4, Insightful)

hairyfeet (841228) | 1 year,22 days | (#45022599)

Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly? they don't care. See how frankly piss poor IT is treated by many corps, "cogs that suck money and don't generate profits" seem to be the way most PHBs treat IT, which is always underfunded, understaffed, and overworked.

Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen. There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough....fuck that. If its like the way it was when i was working corporate, and I've seen nothing to make me think it isn't, its no wonder the security is poor, most are so overworked they are too busy fighting fires or worrying about whether their job will be sent to India or given to an H1-B to spend any real time worrying about security. and of course if you actually DO make changes that increase security? You'll have a dozen PHBs screaming at you because the ipad they picked up over the weekend doesn't magically work when they walk into the building. i wouldn't take another job in corp IT for all the tea in China, no way.

Re:I can confirm this (0, Offtopic)

Anonymous Coward | 1 year,22 days | (#45022637)

Re:I can confirm this (1)

AHuxley (892839) | 1 year,22 days | (#45022657)

http://www.wired.com/wired/archive/7.03/punchcards.html [wired.com] seems to offer some historic insights too.
Keep it all working at the lowest cost for the shareholders. Then you have the rush to the not so safe or cheap cloud, web 2.0 and vision of one skilled non union person with a laptop doing a lot of remote work.
Its seems a cute list of mission statements: protect from outside data threats, protect from inside data threats, made web 2.0+ work, make the cloud work no matter the costs or network holes, keep the old system running to save costs.

Re:I can confirm this (4, Insightful)

phantomfive (622387) | 1 year,22 days | (#45022667)

Even with the downturn i don't think I could go back to dealing with that bullshit, I'd play C&W in a shitty redneck bar before i go back to the bad treatment and constant headaches that is IT in most of the big firms I've seen.

Become a security consultant and charge four times as much. Then you can make money off their foolishness. The more foolish they are, the more you make. The less foolish they are, the more you help them.

Re:I can confirm this (4, Insightful)

wisty (1335733) | 1 year,22 days | (#45022825)

It's not about "real security" (which is too nebulous). They do make an effort, and spend lots of money ... on a big firewall to protect the whole org.

It's about protecting specific assets. For example, you can take the whole NSA offline, which is a fantastic moat. But if one single insider can get root access to basically anything he wants, it's not protecting core assets.

Most businesses are even worse - high risk assets can be sitting on a shared drive where everyone in the company can access them.

Re:I can confirm this (5, Insightful)

TheSeatOfMyPants (2645007) | 1 year,22 days | (#45022889)

There is ZERO loyalty, you could put in 80 hour weeks and they'd fuck you over or outsource your job the second they get a chance, and no matter what you do its not good enough.....

That's the corporate world regardless of what department someone is in. It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life. Hard to care what happens to other people/families when some part of you is persistently fatigued from overwork/stress & worried that you could easily wake up tomorrow to find yourself unemployed and fighting for anything that might pay the bills...

Re:I can confirm this (2)

dkleinsc (563838) | 1 year,22 days | (#45023557)

It's one of the big reasons that life here in the USA has changed for the worse, as the detrimental effects of living that way eventually invade just about every other aspect of daily life.

Interesting related stat: Most employers now routinely expect that employees will be paying attention to and responding within the hour to work email at almost all times of all days. According to this article [aol.com] , Americans work about 10% overtime, completely unpaid, doing this.

Re:I can confirm this (4, Interesting)

aaronb1138 (2035478) | 1 year,22 days | (#45022931)

Don't forget the part where the MBAs aren't even afraid of security issues coming back to bite them. If the issues snowball hard enough, they just go on a huge spending spree for 6 months, bankrupt and phoenix the company. Ignoring security and legal liability in general has become status quo because being responsible has a negative cost to benefit ratio especially compared to the government backed reincorporation procedure.

Re:I can confirm this (2)

TheP4st (1164315) | 1 year,22 days | (#45023065)

REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly?

Even cheap and simple but crucial security such as verification of a user before password reset for windows login, VPN, operation crucial applications and so on were not part of standard operating procedure at a company with an annual revenue of more than USD90 Billion that I worked at some time ago. Worse yet, no verification procedure were in place at all!
When I questioned the rational behind this I never got an actual answer but it were implied that the senior executives found such procedures inconvenient, probably as the PHBs barely could remember their own Windows user name let alone a password for more than a couple of days and being confronted with a verification procedure would apart from being a nuisance also hurt the fragile PHB ego i.e. "Minion how dare you not recognize my voice that you've never heard before!". Combine that with an IT Security department that's incapable of selling the importance of such basic essentials and you have a recipe for disaster.

Re:I can confirm this (2)

DarkOx (621550) | 1 year,22 days | (#45023219)

This is a very good point for very little investment most companies could dramatically improve their security posture without much if any new technology. Simply teaching HR and Helpdesk staff to use good procedures are identity management / verification and making sure HR communicates effective with operations either manually or thru automation to disable or delete accounts when employes leave the company for any reason.

No fancy firewalls or multifactor whatevers will protect you if valid authenticators are running around in possession of people who should not have them.

Re:I can confirm this (0)

Anonymous Coward | 1 year,22 days | (#45023165)

Bitter much?

MBA's look at numbers. Some even have a technical background. While their priorities may be wrong, its an MBA's job to optimize the system for the defined goals. If you want to point the finger, point it at those who set the goals. Name shareholders who demand quarterly profits. If you change their demands to long-term sustainable profits with a minimal level of acceptable risk, then you'll get MBA's who take IT security seriously enough because of its ability to reduce risk to an acceptable level in order to secure long term profits.

Otherwise you'll have to live with optimizers who refuse to spend money on something that might prevent an event far in the future and would rather give that money back to the shareholders now.

Yes MBA's are ruthless. Use that to your advantage and you'll be far happier. e.g. at my company I'm responsible for the long-term health of all our product lines ($80m in business per year). We measure value delivered in years. Our goal is to maximize customer lifetime value. That means for some situations getting as much out of the customer as possible in the short term (single transaction products), but in others delivering the highest value possible for as long as possible (recuring purchase products and services) and capturing as much of that value as we can. This currently means our customer lifetime value is 7 years and growing on those products where we optimize for the long term goal. This also means we invest in infrastructure of which security is a major part (roughly 1/2 our budget is IT related).

You need to have a discussion with your primary shareholders about the goals of your company. Not point the finger at Major Buffoons and Assholes (BTW spell Buffoon right if you're going to spew vitriol). Also a real MBA will also do the same to another MBA as what you're describing happens in the corporate world. And a really good one will do it to himself. Once an MBA stops adding value equivalent to what he gets paid, he should remove himself from the equation. Just as he'll remove an IT colleague from the equation when he stops reducing/maintaining risk to/at an acceptable level.

Re:I can confirm this (-1)

Anonymous Coward | 1 year,22 days | (#45023171)

Its really simple, REAL security costs good money, takes real time and effort and doesn't show immediate results on the bottom line so most companies? Just don't give a fuck. Call it "the rise of MBA (Major Buffons and Assholes) culture" or the "fuck everything but the quarterly earnings!" attitude or anything you like, if it doesn't show profits quickly? they don't care. See how frankly piss poor IT is treated by many corps, "cogs that suck money and don't generate profits" seem to be the way most PHBs treat IT, which is always underfunded, understaffed, and overworked.

Well, what do you think ITs role is in most corporations? Your expectations are too high. IT is like plumbing, when it works, nobody cares or notices, when it doesn't everything stinks and the persons responsible better run. In most cases IT doesn't produce money, just like plumbing it only costs money. Adding more security is like adding fingerprint readers to toilet doors, it's kinda ok until it fails when you gotta go.

Re:I can confirm this (0)

Anonymous Coward | 1 year,22 days | (#45023327)

Not every business needs NSA level security.
And the rest of your post sounds like a whinge against globalisation more than anything specifically security related.

And then there are the people. . . (2)

Salgak1 (20136) | 1 year,22 days | (#45023451)

. . . .who want exceptions carved out, just for them.

Like the C-level people who "need" Facebook and Twitter.

Like the General Counsel who don't want to use the document check-in/check-out system, and THEN complain about losing files.

I could go on, but I'm sure the vast majority of us have had to deal with similar issues. . .

My experience is slightly different. (4, Insightful)

khasim (1285) | 1 year,22 days | (#45022723)

In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

In my experience it is more about the managers and CxO's viewing it as a status issue. They are so important that they cannot be hampered by the demands of the lowly IT people. And the same goes for their people.

Security is IT's problem and if something goes wrong then it is the IT people who will be fired. Starting with the ones who were the loudest about there being a problem in the first place.

After all, other companies don't have those problems. So it must be because the IT people are incompetent.

Re:I can confirm this (4, Funny)

symbolset (646467) | 1 year,22 days | (#45022765)

In my experience revealing what you really know about systems security is a guaranteed way to lose the job interview if you have any clue at all. The only way to help an organization get real operations security is to worm your way in under false pretenses and then gradually migrate them to a secure position. An MCSE cert helps here, as it drives away suspicion that you might actually know what you're doing.

Re:I can confirm this (4, Interesting)

JaredOfEuropa (526365) | 1 year,22 days | (#45023033)

In my experience it is rare to find a company that does IT well in general. Many aspects of IT are hard (including security), and hard to run well as an assembly line, i.e. managing by job compartimentalization, dashboards and processes (management "by the numbers"). I'm not sure why that is, but I often see two areas where IT does very, very poorly compared to other technical or engineering functions.
1) Poor middle management. Many of them are either IT people with poor management skills, or good general managers with no IT skills.
2) Failing talent management. Failure to attract top people, no coaching, poor training, lack of talent recognition (I don't just mean good pay, I mean knowing who your best people are and allocating that talent accordingly), and lack of a decent technical career ladder.

The biggest challenge in IT is not technology, and it hasn't been that in ages. It's management, or rather: figuring out how to do IT well, how to organize it.

Re:I can confirm this (4, Interesting)

Tom (822) | 1 year,22 days | (#45023227)

In my experience, it's much more rare to find a company that knows about security than to find one that doesn't.

They are actually pretty easy to find.

If they have more than about 500 employees, check if they have an official IT security position. Might be some guy doing other stuff in addition, but he's got to be the official IT security guy.

If they have more than about 1000 employees, check if they have an IT security department with at least one full-time employee.

If they have more than 2000 employees, check if they have a CSO or CISO.

If they have, you just need to verify that it's not an alibi position to satisfy some compliance rules. If they don't have, you already know they got no clue.

Business can always be estimated by checking if they commit to a regular expense on a topic. Occasional security checks mean nothing, they're usually done when someone needs to cover their asses. A permanent financial commitment is the only thing that means something in a business context.

Re:I can confirm this (1)

erroneus (253617) | 1 year,22 days | (#45023125)

It's not so much knowing about security as it is jackass leadership who do not want to deal the the hassle. Good security is usually very inconvenient and sometimes requires them to learn or understand something. That's more than they can handle.

No Shit, Sherlock (5, Funny)

thatkid_2002 (1529917) | 1 year,22 days | (#45022371)

Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

Re:No Shit, Sherlock (5, Informative)

Kazoo the Clown (644526) | 1 year,22 days | (#45022467)

You got that right. Security is hard. Security is expensive. Security does not improve profits (as long as they continue to be lucky). The company that spends money on security while their competitors are not, will lose out. Therefore, who needs it? There's no sense of living dangerously without some really spectacular examples...

Re:No Shit, Sherlock (5, Insightful)

InTheSwiss (3080759) | 1 year,22 days | (#45022757)

Having worked at several blue chips all anybody cares about is the appearance of security (i.e. security theatre) enough to cover them for audits and compliance. There is no real security in place in most places. Like you say security is hard and expensive. They don't want to make life harder than the minimum.

Re:No Shit, Sherlock (0)

Anonymous Coward | 1 year,22 days | (#45022863)

Question is whether this will be followed by a magic silver-bullet software co-authored by (ex-) NSA techs as a solution to all corporate IT security problems. Then they have a redundant corporate espionage system even if PRISM were to be ever "decommissioned".

I'm not saying that the internet is secure from NSA if PRISM were to be dismantled (no such thing will happen IRL). Such a "corporate security" product will probe the intranets.

Unlimited capacity for corporate blackmail - for corporations who don't obey the Diktat of the Party ... oops sorry... Govt.

So the few corporations that rule will control all others that don't rule.

Behold the formation of the United State Korporations of Amerika being completed.

But it does improve profit (1)

dutchwhizzman (817898) | 1 year,22 days | (#45022865)

Security done right improves profit. How? Because you go over a functional model of your IT systems as well, to find flaws in the logic that can be abused. You find bugs that cost you money and you get those solved. Research has proven that you can actually more than get back the cost of spending money on good security and turn a profit by having less bugs and flaws in your systems. This does not apply to token efforts and buzz ware, but there's a way to do this properly.

Re:But it does improve profit (1)

hairyfish (1653411) | 1 year,22 days | (#45023395)

What exactly is security done right? Seriously I've never seen it and I've worked the full gamut of small mum and dad businesses to security cleared govt agencies. "Security is an illusion; life is either a daring adventure or nothing at all"

Re:No Shit, Sherlock (2)

xelah (176252) | 1 year,22 days | (#45023127)

I suspect there's more to it than that. Every now and then, after some sort of crisis, companies do actually give it a try anyway and fail. And it isn't even all that expensive to take many neglected security measures. Instead, I think that you have to look at the goals of people involved, and what does and doesn't give them a sense of achievement. Managers want to push through their latest project, developers want to finish good quality software with some neat new design, salesman want to close the next deal, and so on. Not just management recognition, but personal satisfaction comes from doing those things, and not from doing them securely. Security is a distraction and barrier between them and what they want to achieve, not something to be proud of.

Re:No Shit, Sherlock (5, Interesting)

girlintraining (1395911) | 1 year,22 days | (#45022555)

Given that half of Slashdot works in corporate IT I'm sure we're all shocked by this announcement.

Yeah, and we all know who to blame. (looks ominously upward) The irony here is that corporate IT is even more into surveillance and CYA than the former NSA guy is. I mean, the NSA has rules and shit to follow. Management at a company these days is like to be all "Yo, we do whatever we want. You dun like it? Dere's da fuckin' door." (sorry, Jersey accents are really hard to do on slashdot forum posts)

As an experiment I once sent an e-mail out from my last employer containing about 5KB of randomly generated gibberish to an e-mail address setup that had never been used before on a server that didn't have an SMTP server prior to the test balloon. Over the next three days, this previously unused and unloved honeypot got dozens of pings from the corporate network from people trying to login to the SSH, poke at the SMTP server, looking for web services. I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.

Similar has happened at 7 out of 10 employers I've worked for. They don't just monitor all your stuff...they actively go out and fuck with it. And the only reason this isn't a problem is because they're so terrifyingly bad at it.

Re:No Shit, Sherlock (1)

AHuxley (892839) | 1 year,22 days | (#45022605)

Yes you have some very interesting insights.
From the US gov down you have a defective crypto/telco network, big brands working to decrypt, handing over users data vs dreamy legal teams and reassuring privacy statements.
As for "monitor all your stuff" the internal security of many firms would have a few issues to watch for:
Contact with the press, headhunting (recruitment by another firm), union activity, environmental activism, contact with state or federal regulators, academic 'tell all' books, foreigners, faith, entrapment/blackmail.
That home phone and internet, cell phone might be fair game depending on the clearance level, or projects done by other distant divisions or parent company :)

Re:No Shit, Sherlock (1)

dbIII (701233) | 1 year,22 days | (#45022925)

Ah yes - the "we own you" shit that backfires because smaller places that treat their workers like human beings can get more done.
I'm very happy that I left such a micromanaged morass for a place where "union activity, environmental activism, contact with state or federal regulators" doesn't matter to the bosses since they don't have a huge cupboard full of skeletons.

Re:No Shit, Sherlock (1)

khasim (1285) | 1 year,22 days | (#45022741)

I sent it from a gmail account specially setup ahead of time, then logged in over a supposedly secure 'ssl' connection.

So the company you worked for was able to crack the SSL encryption for Google?

Because otherwise the connection should have shown ONLY that it was connected to the gmail server.

Once it was delivered to the gmail server THEN Google would have tried to deliver it to the destination. There should not have been any way (aside from cracking Google's SSL connection) that the company could read the final destination on that message.

Re: No Shit, Sherlock (0)

Anonymous Coward | 1 year,22 days | (#45022783)

this is usually done by pushing an update with their own certificate authority onto your company owned machine. it's obvious that it's being done but as an employee you have no say in the matter.

Re:No Shit, Sherlock (5, Insightful)

The_Other_Kelly (44440) | 1 year,22 days | (#45023105)

Actually Man-in-the-Middle transparent proxies, which intercept
and monitor SSL/TLS traffic, are now standard in most corps.
You don't get a browser alert since the corporate "fake" CA
is pre-installed as trusted in your browsers by the corp's IT.

So, yes, basically ... there *is* no encryption and they look
at everything.

Oh! And using Cisco "policy based routing", or WCCP2 or
other networking mojo, you cannot decide to skip the proxy,
from your client.

And ... using Deep Packet Inspection, the protocol will not
just be matched versus the destination port, so your genius
attempts to ssh to your external server running on tcp/443,
will not only be blocked, you will be flagged and tagged.

Solution? Just use your own equipment with either built
in 3/4G connections, or just tether across your personal
phone.

Caesar and Rome ...

Re:No Shit, Sherlock (2)

symbolset (646467) | 1 year,22 days | (#45022845)

Look, none of the people actually know. They can sell solutions but not understand them. When Intel bought McAffee I cried because it implied even Intel didn't understand.

SO WHY DID IT TAKE A SNOWDEN . . . !!` (1)

Anonymous Coward | 1 year,22 days | (#45022383)

when this guy could have done it long before ?? He is a traitor to the American people !! Turn your backs !!

Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` (4, Insightful)

thesupraman (179040) | 1 year,22 days | (#45022557)

It seems we are taking the position of a man who was part of an active and systematic attack on the security of network infrastructure through planned back dooring, lowering of quality of encryption systems, and intentional hacking?

Really? its the corps fault they are not secure, considering what the NSA has been up to?

Perhaps they should have spent 10% of the effort on informing corps of the holes they found instead of just squirreling them away i the grab bag of dirty tricks.

If suddenly matters so much, then please, make public the details of ALL known security holes, and inform all victims of the backdooring done to their systems..

No? Thought not..

So if Snowden can get at the NSA (2)

dutchwhizzman (817898) | 1 year,22 days | (#45022871)

So if Snowden can get at the NSA and the NSA calls companies weak, imagine how bad those companies actually are....

Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` (2)

TheSeatOfMyPants (2645007) | 1 year,22 days | (#45022983)

A FSIC judge used that blame-the-victim security logic according to a new interview with Lavabit's ex-owner [arstechnica.com] at Ars Technica, even though the judge wasn't sure if "unencrypted" is even a real word:

[Levison] continued to resist, arguing that by handing over the key, he would be compromising the security of all users. In an August 1 hearing, Judge Claude Hilton said that it was effectively Levison's fault that sites have only a single private SSL key.

"You're blaming the government for something that's overbroad, but it seems to me that your client is the one that set up the system that's designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another," the judge asked Levison's attorney, Jesse Binnall. "And to say you can't do that just because you've set up a system that ...has to be unencrypted, if there's such a word, that doesn't seem to me to be a very persuasive argument."

[sarcasm]Yeah, nothing wrong with being so over-intrusive since it's not like the guy really tried to make it secure...[/sarcasm]

Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` (1)

swillden (191260) | 1 year,22 days | (#45023567)

Really? its the corps fault they are not secure, considering what the NSA has been up to?

Yes, it is.

Oh, the NSA likely would have gotten in anyway, but that's no excuse for the generally lousy state of security in big corporations. I spend 15 years as a security consultant, working with all sorts of big companies -- especially banks, who you'd expect to have reasonable security -- and "appalling" is the word I use also. I once worked with one bank that did a billion dollars a day in wire transfers over an unauthenticated, unencrypted FTP connection. Seriously. The transport was a leased line, not the Internet, but still, that's insane. Appalling doesn't seem quite strong enough.

FWIW, I now work for Google and I'm consistently impressed with Google's approach to security.

Re:SO WHY DID IT TAKE A SNOWDEN . . . !!` (1)

AHuxley (892839) | 1 year,22 days | (#45022625)

The fairy tales of: foreign use only, stockholder legal issues, stock price, privacy legal issues, political issues, the scale of tracking would never work, data sets would be useless, privacy laws, would stop exports, would leak to the press.
Anyone who was smart enough to understand history, their internal networks, links to outside networks and had a basic level of curiosity would have been aware.
To counter that:
You have a mortgage, student loans, taxes, a growing family, real advancement opportunities, expensive hobbies, like sport, might enjoy drinking and have been profiled as been safe as you advance.
You do what your told or risk huge losses.
Snowden gave the world the "citation needed" to speak up, be heard and make real hardware and software changes.

Meh... Pot / kettle, they're both black. (0)

MobSwatter (2884921) | 1 year,22 days | (#45022439)

When military force is authorized against the American people and backed by technical incompetence judicial system in the form of social engineering to back door most every security conscious device/os, then even the super, ultra deluxe, high performance, grand pro NSA hackers resemble Tommy 10 year old script kiddy born of rich family and purchased grades all the way through college now making big decisions that will haunt the people like a really bad case of herpes, kinda like every president's legacy for the last 60 years. Up to bat now: Obamacare. If Obama cared, he would not have promised change, then changed his promise. Bad cop, no doughnut.

Couple Ways You Could Fix That (5, Funny)

Greyfox (87712) | 1 year,22 days | (#45022443)

You could just improve security, but that's hard. Alternately, you could just have such a shitty IT infrastructure that nothing ever works! This has many advantages! Lower IT costs, for one, and servers that are broken are in fact VERY secure! Very, VERY secure! So if you're in IT, next time someone bitches at you about some resource being down, just say it's "security hardening"!

Re:Couple Ways You Could Fix That (0)

Anonymous Coward | 1 year,22 days | (#45023245)

You could just improve security, but that's hard. Alternately, you could just have such a shitty IT infrastructure that nothing ever works! This has many advantages! Lower IT costs, for one, and servers that are broken are in fact VERY secure! Very, VERY secure! So if you're in IT, next time someone bitches at you about some resource being down, just say it's "security hardening"!

You mean corporations should hire Wally?

Maybe it is because, security has no ROI? (0)

Anonymous Coward | 1 year,22 days | (#45022445)

Posting AC, just because... but one thing people forget... security has zero returns coming back.

Or at least this is what the PHBs believe.

Re:Maybe it is because, security has no ROI? (1)

Raven42rac (448205) | 1 year,22 days | (#45022549)

But there is unlimited risk involved.

Re:Maybe it is because, security has no ROI? (1)

AHuxley (892839) | 1 year,22 days | (#45022699)

I wonder what the ROI would have been in consulting a wide range of security cleared legal teams after getting the first NSL? vs:
Gov't: Court should not allow disclosure
http://www.myfoxaustin.com/story/23591839/govt-court-should-not-allow-disclosure [myfoxaustin.com]
The NSL aspects, PR and global branding is getting costly and a bit Kafkaesque.

Re:Maybe it is because, security has no ROI? (0)

Anonymous Coward | 1 year,22 days | (#45022709)

That is no concern. If the company goes belly up, the big bosses just go to some other company with huge bonuses.

Maybe, but . . . (0)

djupedal (584558) | 1 year,22 days | (#45022451)

This view tends to ignore the numbers of self-appointed white hats working inside many corporations that are not directly assigned to corp. security, yet take it on themselves to find and fix various 'holes' . . . quietly help out, without being asked or letting anyone know they've even been involved.

Re:Maybe, but . . . (1)

noh8rz10 (2716597) | 1 year,22 days | (#45022533)

is this a funny? like some keebler elves showing up to clean things up without telling everybody? or sellthe exploits???

Re:Maybe, but . . . (1)

Anonymous Coward | 1 year,22 days | (#45022803)

As one of these "self-appointed white hats" (who probably has more security experience than anyone in the Fortune 100 company I work at), it is getting harder to help. I'm still asked occasionally by IT executives to assist when their oursourced minions get over their heads, and do fix things that appear on my radar in my corner of the company network, but the need to CYA continues to grow as all company resources continue to get shrunk to boost this quarters numbers. The only remaining response to APT is to 'accidentally' reformat all the suspected machines after hours and pretend like nothing happened. There is no interest in fixing anything, or making changes needed to secure anything. I'm glad I moved to engineering, IT and IT security are not careers any longer. The job of security is to maintain theater, and be the designated fall guy when things go wrong.

Re:Maybe, but . . . (1)

The_Other_Kelly (44440) | 1 year,22 days | (#45023139)

You should treasure the fact that you work in an org. where people care enough to even try!
If you are smart, cynical and cunning, (strongly recommended for security professionals!),
you can channel this into a benefit for you, your group and the whole company.

If you "Deputize" the eager-beavers, then it gives you a lot more eyes and ears.
Yes, sadly, you will have the annoying "I Just Read ...." know-it-alls, but even if
the involvement is in reality, an illusion, you still get more back than you invest.

With, of course, the concept of responsibility, focus, and "handover" ...

"Thank you for bringing this to our attention, you are, indeed, so-cool,
and now we can take it further, leaving you to get on with the things the
company actually pays you for ..."

The best example I've ever seen of this, is the Starling speech to the
troopers in the Silence of the Lambs.

A small barrier to entry, to keep out the assholes, is also advised.
A monthly, unpaid, evening meeting for the "security" associates,
with some feedback, news, updates and a doughnut, keeps things
running well.

In the end, as Corporate Security, you can either act like an occupying army,
or a police force that operates with the support of your users.
Treat your users like shit, and they will notice, and they will not have your back.

Of course, this is no guarantee that if you treat them well, they won't
stab you in the back anyway, but ... as a security person, you already know
that you will get to see the worst that people have to offer, ... anyway.

The really cynical would point out that if you really were, an occupying army,
then you should be smart enough to build up your "cadre" of supporters,
without visible points-of-protest, and for "counter-intel" usage ...

Most offices have normal plate-glass windows, too! (3, Interesting)

Tony Isaac (1301187) | 1 year,22 days | (#45022477)

All it takes to break in is a hammer and 10 seconds.

Sure, they could put in bullet-proof glass and high-security doors. But those measures are prohibitively expensive for most businesses, and still aren't foolproof.

The same is true with computer security. There are basic precautions businesses should take, like putting all their equipment behind firewalls, for example. That's the equivalent of locking the front door. But security costs money, and makes life more difficult for those with legitimate access. These considerations must be balanced.

Re:Most offices have normal plate-glass windows, t (0)

Anonymous Coward | 1 year,22 days | (#45022527)

I've seen normal plate-glass windows on rooms with TOP SECRET data and worse. Sort of unattended even, if you don't count a sleepy unarmed guard in an adjacent building. You could have driven a truck up to the window, done a smash-and-grab, and run off with the goodies. There was at least a very opaque curtain.

Not saying where! Security by obscurity seems to be working.

Re:Most offices have normal plate-glass windows, t (1)

phantomfive (622387) | 1 year,22 days | (#45022531)

You are right, but at the same time, there are measures a lot of companies could make that wouldn't cost much money but would improve their security.

Ensuring that input is properly sanitized is one that comes to mind, because I've seen problems with it by people who should have known better. Disabling Java applets by default in browsers is another.

Re:Most offices have normal plate-glass windows, t (1)

Bert64 (520050) | 1 year,22 days | (#45022755)

Unfortunately that seems to be the standard approach, leave your machines terribly insecure and just hide them from the internet using firewalls...
As soon as someone gets a tiny foothold behind the firewall, and there are many ways in which they could do so, everything inside is trivially easy to compromise and very poorly monitored.

Re:Most offices have normal plate-glass windows, t (1)

dbIII (701233) | 1 year,22 days | (#45022943)

Unfortunately that seems to be the standard approach, leave your machines terribly insecure and just hide them from the internet using firewalls

Generally that's required because security is not considered at all by the vast majority of commercial software developers - so if you want to use their stuff it comes with all kinds of stupid open ports and nothing to stop the 1960s exploit of buffer overflows once something starts sending bytes into those ports. Some stuff on MS Windows still needs to be run as "Administrator" when there is no real reason it should.

Re:Most offices have normal plate-glass windows, t (1)

Bert64 (520050) | 1 year,22 days | (#45023537)

Thats a self perpetuating problem... So long as buyers don't reject such software, developers will continue to produce it.

Re:Most offices have normal plate-glass windows, t (1)

Tom (822) | 1 year,22 days | (#45023215)

These considerations must be balanced.

The problem is that they usually aren't. There is a lot of office politics that usually means that the higher up the hierarchy you are, the less secure your computer is going to be. One company I worked for made a company-wide security check and found a number of open, unsecured dial-in modems attached to phone lines on the one side and desktop computers on the corporate network on the other. All but one of them belonged to managers.

Fuck Prescott Winter with a rusty meathook. (-1)

Anonymous Coward | 1 year,22 days | (#45022483)

There are plenty of informed experts who don't have an interest
in selling the services of the company they are involved with, whereas
this article comes off like an ad for this asshole.

Fuck him and fuck Slashdot for posting articles like this.

May you all get rectal cancer this year and die.

PHBs (2)

whoever57 (658626) | 1 year,22 days | (#45022495)

How many vulnerable systems are due to PHBs who don't want to listen to explanations that the remote access or network configuration they want is insecure?

The rest due to incompetent web developers who have no clue how to build secure web apps.

Executive Decision (0)

Anonymous Coward | 1 year,22 days | (#45022501)

If as Mr. Clapper posited earlier that the Federal Shutdown endangers the U.S.A. and all citizens including the armed forces overseas to terrorist attack then there is an Executive Decision to be made.

Under Mr. Clapper's premis the President and all members of Congress have by default committed treason and crimes against the U.S.A. and humanity at large.

Their actions warrant immediate arrest, arraignment and indefinite incarceration while awaiting trial.

The person of interest of the US Federal Government to take action and command is ... Mr. Eric Holder, Secretary General of the Justice Department.

Will Mr. Holder have the balls to arrest President Obama and all members of Congress for immediate execution? :)

Yes, corporate security is appalling, (1)

NikeHerc (694644) | 1 year,22 days | (#45022507)

but corporations, unlike the NSA, generally get their wrists slapped when they attempt to break the Constitution and its amendments.

Clueless. The Constitution does not apply. (0)

Anonymous Coward | 1 year,22 days | (#45022525)

The constitution does not apply to corporations. Go read it. Now it would be logical to conclude that legal entities created, enforced and regulated by the government are an extension of government by run by private parties and therefore they are bound by all the same limitations; but that is not how things are. The government has a history of hiring private corps to do things it can not do and it's only been blocked after long court cases to the 3rd? or was it 4th? party removed. Leaving us open to them circumventing things by going to a 5th party; although, at this point they can just openly break most the rules as long as both parties are good with it (and where it really matters the two parties are functionally the same.)

Re:Yes, corporate security is appalling, (1)

Anonymous Coward | 1 year,22 days | (#45022749)

And when did the NSA has get more than a wrist slap for for their blatant and widespread violations of the Constitution? Have Adm. Clapper and Gen. Alexander been sent to prison for their crimes?

It all boils down to the cost of training (0)

Anonymous Coward | 1 year,22 days | (#45022523)

Training is the most expensive thing for corps, and colleges/trade schools don't get the job done either. When no body is held accountable for the "boogeyman" on the interwebs stealing your info/cracking your system there's really no point in wasting the resources on training personal to prevent it.

NSA Security isn't all that much better. (0)

Anonymous Coward | 1 year,22 days | (#45022535)

We can be quite sure that the one leak we know about is just the tip of the iceberg.

No, really? (4, Funny)

seebs (15766) | 1 year,22 days | (#45022551)

Banks are still using "secret questions" and claiming that's a kind of two-factor authentication. Someone I know was once told by Citi something to the effect of "well, click on the links in the email, and if it gets you to a site with our logo, then it was from us."

And honestly, social engineering is still a huge and very easy target.

Re:No, really? (1)

Anonymous Coward | 1 year,22 days | (#45022693)

I like the tooltip on Blizzards WoW loading Screen, something like:
Official emails will end with the address battle.net or blizzard.com

Seriously WTF?

Re:No, really? (1)

Bert64 (520050) | 1 year,22 days | (#45022767)

Some banks in switzerland actually sign their emails using S/MIME...

Re:No, really? (0)

Anonymous Coward | 1 year,22 days | (#45023439)

... social engineering is still ...

Hmm, where to begin. This is one place where anonymity fails. It would be wonderful if one could instantly tell that bikini-clad selfie was from a fat, 30 year-old man, or that banking password request wasn't from my local bank. The second case reveals why an internet standard is needed for encryption key-chain software and hardware.

TV: "You are watching Fox."
Homer & Marge & Lisa & Bart: "We are watching Fox."
- 'The Simpsons'.

Another reason anonymity fails in cyber-space is because there are no non-verbal cues. Obviously a gifted trickster can beguile or distract enough people in person to make crime pay. But in cyber-space, the limited persona of the written word causes people to assume good intentions. Most people don't have experience in blocking the unknown and nameless 'voice' coming from the email or blog. This means a little distraction goes a long way to ensuring people trust everything they read.

Many people further assume that dishonest and malevolent people suffer a poker game 'tell'. Watch the interrogation scene on any cop-show. On TV, the cop is smarter than the criminal. A gifted trickster, like the TV cop, has more experience in manipulating the conversation and the truth than you. People who think "I'm smarter than a criminal and won't be tricked" are the first victims.

Re:No, really? (4, Informative)

MrNemesis (587188) | 1 year,22 days | (#45023677)

You've been modded funny, but it's more +1 Insightful, -2 Depressing.

I've had several calls from my bank that basically go like this:
GB: "Hello, I'm calling from Generic Bank regarding your account, in order to verify your identity as the account holder can I ask you to confirm your name, date of birth and account number please?"
MN: "Sure"
GB: "..."
MN: "Well are you going to tell me?"
GB: "Sorry sir, you need to tell me that information"
MN: "And how do I know you're not a scammer?"
GB: "Because I'm calling from Generic Bank"
MN: "I'm not going to give any information to an unsolicited caller asking me for my bank details. Are you going to tell me what this call is about?"
GB: "I'm afraid I can only do that with the verified account holder"
MN: "And who is that?"
GB: "I'm afraid I can't tell you until you tell me, but I can assure you I am calling from Generic Bank"
MN: "And I can assure you I didn't take a shit in your cornflakes but that doesn't necessarily make it true, does it?"
*click*

Yes, these calls really were from the bank because every time this happens I walk into a branch and ask a) why I was called and b) why they still haven't fixed this utterly moronic behaviour. Don't even get me started on the almost complete and utter lack of two-factor auth for online banking as well as the utterly ridiculous password requirements. About 5 years back my bank said I could have a current account with an RSA key... the catch was it had to have at least £50,000 in it. I think it's only within the last year or so they've brought in two-factor auth for us mere peons, and yet you're apparently still able to reset your account with "security questions". When I tried to set answers that were purposefully incorrect (e.g. for "memorable place" you might choose to give "Marvin's turgid bowling average") I was told I wasn't allowed to do that so I cancelled the whole process. Asinine.

I haven't given the name of my bank, because they all seem equally shitty in this regard.

Give me a break. (3, Informative)

Anonymous Coward | 1 year,22 days | (#45022579)

He's keynoting at a major security vendor conference. Having done so myself, the goal and focus is ALWAYS to spread FUD to sell software and services. This industry survives off of fear mongering. That's not to say there aren't problems, but when you're paid tens/hundreds of thousands of dollars to keynote on behalf of a vendor, you generally have an unwritten agreement to paint the most dramatic picture possible.

NSA - yea your [art pf the problem (0)

Anonymous Coward | 1 year,22 days | (#45022607)

NSA You paid company's to install backdoors/exploits you think your the only one who can use them? It's partly your fault.

If hacking were legal... (1)

Ichijo (607641) | 1 year,22 days | (#45022647)

...security would quickly improve.

Yeah well... (0)

Anonymous Coward | 1 year,22 days | (#45022659)

The kind of activities i see from the NSA i would call appalling as well.

Maybe you could get off your fat spook ass and help these companies improve instead of just spying on everyone and making judgements?

Specific and immediate threats? (2)

Beryllium Sphere(tm) (193358) | 1 year,22 days | (#45022661)

Chase those, and you're in a never-ending cycle of reaction because you were so thrilled by the drama of firefighting that you left yourself exposed to the next specific and immediate threat.

Try to cover broad classes of threat, and you'll get some actual preventive value from your expenditures.

With Windows Backdoored, What's the Point? (4, Interesting)

Jimbookis (517778) | 1 year,22 days | (#45022773)

Given the creator of Windows and US government can, sufficiently compelled, walk into any Windows system that is internet connected at any time they desire what's the frickin' point? Everything else is security theatrics. Do what the old security honcho of MS has done and drop out.

Yo0 FAIl it (-1)

Anonymous Coward | 1 year,22 days | (#45022775)

previousl7 thought Bombshell hIt butts are exposed Give other people do, or indeed what

There's no real cost for coporate security failure (3, Interesting)

Required Snark (1702878) | 1 year,22 days | (#45022779)

In practice, businesses have no meaningful liability for any software failures. And by liability, I mean facing serious consequence, like destroying the business.

Four letters say it all: EULA. You can sell software that bricks a piece of hardware, and the worst you'll have to do is refund the purchase price. Most of the time, all you have to do is issue a credit, so the customer/sucker gives you more money.

Someone breaks into a server farm and steals credit card info and passwords that are stored in a non-encrypted format? Just send out a warning. It's not like you can get sued or anything.

Big defense contractors are leaking classified information like a sieve. It's so bad that the US President had to whine to the Chinese President about cyber spying industrial espionage. Has any defense contractor lost a contract or been fined for these screw ups? Of course not.

Heck, there were images this week from an exposition of Chinese built unmanned aircraft in Beijing, and they had a Predator drone! Not just a look alike, it had the same mounting for the optical sensor pod on the bulging nose, chines, V-tail, etc. It would be completely unsurprised if they stole the plans. Apparently they have the plans for all our major weapons systems. It save then vast effort in R&D, and they can build counter measures that they know will work. If there were any fines or actions against any corporations it was not reported anywhere.

So given that there's no down side to committing corporate software fraud, why is anyone surprised that security is a complete joke.

Security is possible, but you must focus. (3, Informative)

dweller_below (136040) | 1 year,22 days | (#45022823)

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ [sans.org] While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

  • A. How does your organization create a sense of community?
  • B. What are your Institution's Goals?
  • C. How are those goals propagated throughout the organization?
  • D. How do your security actions promote your institutional goals?
  • E. How do your security actions provide assurance to your institution?
  • F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

  • A. How do you increase the cost of attack?
  • B. Do you report attack to the remote ISP/attacker?
  • C. How do you coordinate with law enforcement?
  • D. How do you decrease the cost of defense for yourself and others?
  • E. How do you reduce the motivation for local attack?
  • F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
  • G. Do you facilitate others disclosing vulnerabilities to you?
  • H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php [sans.org] The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

Re:Security is possible, but you must focus. (1)

AHuxley (892839) | 1 year,22 days | (#45023037)

Down the list:
A. How does your organization create a sense of community? Foreign spying, domestic protection.
F. How does your institution reward long term loyalty? Further education, wages, medals, new projects, global insight.
Where NSA came unstuck was hiring very smart, loyal people and telling them its all "foreign" with huge domestic security protections. Reality sets in and talented staff feel used.
A. How do you increase the cost of attack? The main idea was huge electric fences and SUV's packed with contractors. Then a layer of ID and file sections ensuring very few fully understood too much at any time.
Sadly all this seemed to drift away with contractors, language experts and others been rushed in by private vetting over the past 10 years.
The NSA withstood all the Soviet Union, non aligned and friendly nations tried for a long time.
Mission creep (domestic is allowable) and rapidly changing political considerations (contractors, clouds) seem to have displaced a very well thought out internal systems.

Re:Security is possible, but you must focus. (1)

ruir (2709173) | 1 year,22 days | (#45023429)

Tell me which university do you work forthe biggest problems in academia range from "we have open policies", to political problems. And thing is, most technicians talk about getting technical solutions for political problems that can be fixed with technology.

Re:Security is possible, but you must focus. (1)

PvtVoid (1252388) | 1 year,22 days | (#45023681)

the biggest problems in academia range from "we have open policies", to political problems.

Universities should have open policies. That's what universities are there for: the open exchange of information. IT's job is to make technology available, not unavailable, even if unavailable is more secure.

Re:Security is possible, but you must focus. (1)

Simulant (528590) | 1 year,22 days | (#45023649)

Security makes pretty much everything in IT more difficult, complicated, and less convenient, not to mention expensive. Frequently, high security implementations will introduce new problems such as incentivising employees to write down passwords or use insecure workarounds for sensitive work.

Quite frankly, most companies without IP or corporate secrets to protect simply don't care all that much. We'll take some basic precautions but GOOD security is just not worth the hassle, nor is there that much to lose. We don't all need to be as paranoid as the NSA. I'm not even sure that the NSA needs to be as paranoid as the NSA.

Where I currently work, security is practically non-existent. Management isn't worried about this despite repeated warnings. Probably the worst thing that could happen to them other than a break-in with mass destruction would be that they lose their customer's credit card info. They don't seem to care too much about this possibility. I'm not even sure that the repercussions warrant caring. We're a hardware store.

Finally, the security industry have become the snake oil salesmen of IT. I've worked in the field and hated every second of it. It takes a certain kind of talent or delusion to really enjoy it. There's a lot of FUD in this field and so much busy work that it will numb your mind.

Former NSA Honcho Calls IT Sec. "Appalling"... (2)

wonkey_monkey (2592601) | 1 year,22 days | (#45022857)

...Cackles Maniacally And Rubs Hands With Glee.

While he may be correct (0)

Anonymous Coward | 1 year,22 days | (#45022905)

He is also a guy selling security stuff.

Prescott Winter is a fascist (-1)

Anonymous Coward | 1 year,22 days | (#45022915)

Prescott Winter is a fascist, and like all fascists throughout history, we already know how he will be remembered. Like a cunt of a human being. Like most fascists throughout history, I hope he finds his end badly.

Intetnet Czar (0)

Anonymous Coward | 1 year,22 days | (#45022929)

Clearly what's needed is an "Internet Czar" -- a top level cabinet post with, say, 50,000 new civil service positions (job creation). Have one person on the Big Red Switch to shut it all down if the GOP asks any questions about budget and appropriations.

pot calling kettle (4, Insightful)

Anonymous Coward | 1 year,22 days | (#45022935)

Is this the same company that employed Edward Snowden as a sysadmin, allowed him to elevate his authority and then download documents that he was not supposed to... So Prescott Winter was CTO and was finally responsible for internal IT security. Talk about a pot calling a kettle.....

Re:pot calling kettle (0)

Anonymous Coward | 1 year,22 days | (#45023421)

yes, the same mob that "tend to throw technological solutions at potential areas of risk rather than focusing on specific and immediate threats"

Lie with dogs wake up with fleas (1)

Anonymous Coward | 1 year,22 days | (#45023115)

And who's fault is that? Geeze who could have expected undermining security would undermine security!

True or not best to shout this guy down (1)

DarkOx (621550) | 1 year,22 days | (#45023189)

Frankly given all the revelations about NSA spying the biggest threat to security is clearly the government itself, but what will inevitably come out of public figures saying stuff like this is an attempt to regulate PRIVATE IT infrustrucute, which we know the NSA will use to Blackdoor us all.

This is why we need to not give the FEDs the microphone. We should continue to disinvite them from conferences and trade shows. We all need to stop going to infra guard and stop taking NIST seriously. Write you congress person tell them these guys are untrust worthly and rather than listen to the. Please please defund them.

big surprise (2)

Tom (822) | 1 year,22 days | (#45023209)

Who would have thought?

Aside from everyone working in IT security. Or everyone working in IT. Or everyone with 3 working brain cells. So, basically, everyone except middle management.

What I've seen in IT security in most companies is pretty pathetic. They would fall to the first dedicated attacker. And, indeed, reports like the yearly Verizon report show that they do.

But here's the catch: A company is by definition an entity that exists for the sole purpose of making money. As long as the damage from security incidents is lower than the cost to reduce them, it is actually the correct business decision to not improve security. If you view security without risk management, you are a fanatic.

well, Duh. (0)

Anonymous Coward | 1 year,22 days | (#45023301)

... throw technological solutions ...

You mean like using body scanners to detect 'terrorists'?

... focusing on specific and immediate threats ...

Like the TSA being tasked to scare terrorists away from interstate highways?

... vulnerable to hackers, malware ...

Doesn't the NSA and FBI buy the very same malware.

... afford good security ...

Unless it is ruled by HIPA, data in the US belongs to the company (and the NSA). A company can construct as little security as they like. The fact their data is also my credit card number isn't their problem. If a credit card is stolen, the card-holder and some other hapless merchant pays the bill. Besides, the clean-up cost after the break-in is unavoidable. So they won't waste money with top-notch security that will be out of date in a month or the NSA will complain about.

TL;DR: Agency that demands open-door access is horrified their enemies have access too.

Of course it is (1)

gelfling (6534) | 1 year,22 days | (#45023525)

No one WANTS to do security. It doesn't advance anyone's career. On the other hand government is terrible at it too because all it ever wants to do is spend years writing another 2,600 page NIST standard no one can follow.

specific and immediate threats (1)

geirlk (171706) | 1 year,22 days | (#45023535)

By "specific and immediate threats", I suppose he means the NSA itself?

Some exceptions... (2)

oic0 (1864384) | 1 year,22 days | (#45023559)

I work for a medium sized financial institution and the level of security is off the charts to the point where you can be fired from walking away from your workstation without first locking it. No computer that is connected or ever has been or will be connected to our internal network is allowed on the internet or to have a flash drive / CD put into it except by approved IT workers (the ports and drives are disabled too).

Re:Some exceptions... (1)

oic0 (1864384) | 1 year,22 days | (#45023563)

Oops forgot, we are also constantly tested for weaknesses against social engineering lol.

Security is always a balance (1)

onyxruby (118189) | 1 year,22 days | (#45023581)

I can't think of anyone I know who would ever claim their environment was secure, whether I've worked Wall Street, health insurance, defense contractors or any other type of organization that might be typically portrayed as secure. All of these environments have professionals, and all of them are painfully aware of the holes in the system and would fix them if they had the resources. The hard reality is that security costs money and good security costs even more money. Security also has a habit of impeding functionality and in today's environment, this is considered a big deal.

Security is really all about risk management and balancing any given risk against it's likelihood, cost of cleanup and cost of prevention. You can white-list every website your staff are allowed to visit on the Internet and dramatically reduce the number of infected machines, but the cost in terms of staffing, employee morale and retention would be quite high. You can put man traps at every door in your facility, however it would be a foolish waste of money and irritation in 99% of use cases.

Like it or not security is often tied directly to regulatory and compliance requirements. Those environments that have some sort of regulatory and compliance requirement are typically far more secure than those that don't. If you want improved security for the country (wherever your country is) you have to start with regulations and compliance requirements that force companies to institute it to begin with. It's claimed that cybercrime costs [mcafee.com] $100 billion in the US and $400 billion per year.

Want better security? Get companies to realize that have poor security costs more money than good security.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?