×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Failure of Information Security

ScuttleMonkey posted more than 7 years ago | from the everyone-is-happy-until-something-breaks dept.

172

Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

172 comments

THE FUTURE OF TROUTS! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#15299619)

I AM A FISH!

Re:THE FUTURE OF TROUTS! (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#15299700)

And the point of your post is what?

I really don't understand why people think that anyone is interested in a completely off topic post that adds nothing to the article and is not even an opinion about the article.

I can understand trolling, they have a strong opinion and want to force it on others, but first post and completely off topic posts are pointless

Sorry to rant and be a bit of a troll myself.

Re:THE FUTURE OF TROUTS! (1)

Fecal Troll Matter (445929) | more than 7 years ago | (#15299728)

I work in IT every day, and I'm really getting a hoot out of all these posts. You slashdotters think you are experts on everything, but trust me, you're not. You don't have the faintest clue what you are talking about. So next time, think before you post, because some people will believe anything they hear...

Failure of security professionals? (5, Insightful)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#15299621)

"It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
Bollocks - this implies that there's more security professionals could do, but they choose not to, to drum up business.

The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)

The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?

Furhtermore, the list of data losses
Credit Card Breach Exposes 40 Million Accounts [com.com]
Bank Of America Loses A Million Customer Records [com.com]
Pentagon Hacker Compromises Personal Data [military.com]
Online Attack Puts 1.4 Million Records At Risk [com.com]
Hacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time' [spamdailynews.com]
Laptop Theft Puts Data Of 98,000 At Risk [com.com]
Medical Group: Data On 185,000 People Stolen [com.com]
Hackers Grab LexisNexis Info on 32000 People [pcworld.com]
ChoicePoint Data Theft Widens To 145,000 People [com.com]
PIN Scandal 'Worst Hack Ever'; Citibank Only The Start [csoonline.com]
ID Theft Hit 3.6 Million In U.S.
Georgia Technology Authority Hack Exposes Confidential Information of 570,000 Members [itworldcanada.com]
Scammers Access Data On 35,000 Californians [com.com]
Payroll Firm Pulls Web Services Citing Data Leak [com.com]
Hacker Steals Air Force Officers' Personal Information [washingtonpost.com]
Undisclosed Number of Verizon Employees at Risk of Identity Theft [com.com]
can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.

The story makes some good points, but blames the wrong people.

Re:Failure of security professionals? (4, Insightful)

BorgDrone (64343) | more than 7 years ago | (#15299674)

Furhtermore, the list of data losses (...) can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
Not entirely correct. Yes, users are morons, and yes they often fail to follow the advice of the security team. However, it's the security team's responsibility to get proper behaviour into the users stupid little heads.

Security is not just the technical part, educating your users is huge part of it and if users fail to follow advice the security team has failed in this part of their job. You can whine how stupid users are, but that doesn't change reality, it's the security team's responsibility to make them less stupid.

Re:Failure of security professionals? (5, Insightful)

Bacon Bits (926911) | more than 7 years ago | (#15299734)

I don't think that's what he saying. That is, users are not to blame. The decision makers are.

Let's say, as an IS professional, you explain to managment the need to restrict user accounts with Administrator rights, the need to implement an intrusion detection device, the need to eliminate spam, the need to make the network infrastructure fault tolerant, the need to update the antivirus client to something that can detect modern threats, and the need to educate users on how to operate their systems securely. Management denies budgeting these things on the basis that they are not necessary, and would you please increase maximum mailbox size again?

If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.

Re:Failure of security professionals? (1)

hackstraw (262471) | more than 7 years ago | (#15299972)

If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.

Measures against security just like safety are directly proportional to the level of perceived threat.

So in other words it will take a massive breach in their world or to someone they know before the proper measures are taken.

Nobody protects a piggy bank with an armored tank. Fort Knox has an Army base beside it.

Shrinkage is inevitable (2, Insightful)

Maximum Prophet (716608) | more than 7 years ago | (#15300103)

What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, you can buy it, but even the Military has had to deal with stolen information.

The trick is getting a better crystal ball and figuring out how much a breakin will cost. Since the IT people often can't properly predetermine the cost of normal projects, predicting the cost of a hypothetical crime will be less acurate than predicting the weather. Perhaps instututes like SANS could put dollar number formulas on each threat type. Even though the formulas would require too many assumptions to be accurate to us, management types could plug in what they think and have the OMG moment w.r.t. security or lack thereof.

Re:Failure of security professionals? (4, Insightful)

symbolic (11752) | more than 7 years ago | (#15299744)

That all depends...many organizations have positions that are characterized by "all of the responsibility but none of the authority". This means that as a security professional, you may be able to recommend certain practices, but unless one has the authority to see to it that these recommendations are implemented, there really isn't a whole lot more that can be done.

Re:Failure of security professionals? (1)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#15299752)

Furhtermore, the list of data losses (...) can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
Not entirely correct. Yes, users are morons, and yes they often fail to follow the advice of the security team. However, it's the security team's responsibility to get proper behaviour into the users stupid little heads.
Agreed - but what I was talking about is not failures of the end users, but failure of the company's management to implement security policies (including user education).

Re:Failure of security professionals? (2, Insightful)

Linker3000 (626634) | more than 7 years ago | (#15299753)

Bad perspective.

If you consider the users to be morons and know that they will fail to follow security advice than you plan for this. You can implement training to 'un-moron' them to a degree, but it is not wise to consider that the post-training person will do what they have been told all of the time.

*ANYONE* in any support or consultancy role that starts to say to themselves (about the users) "You'd think that they would/wouldn't...." (eg: You'd think that they would know not to login as someone else") is totally missing the point about human behaviour and is not approaching the problem or their role in the correct way.

Re:Failure of security professionals? (1)

WgT2 (591074) | more than 7 years ago | (#15299808)

However, it's the security team's responsibility to get proper behaviour into the users stupid little heads.

Well, that can be slightly difficult when you have the VP of engineering subtly criticizing you for putting a '|' in the CEO's LDAP password. Which is only indicative of the laziness and low expectations and standards of those who hire security professionals. Not to mention there not being a means for the CEO to create or change his own password.

Re:Failure of security professionals? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15299837)

And you deserve to be criticized and belittled for using a pipe character in a password. Let the CEO choose their own passowrd. Quit being a sensitive wimp.

Re:Failure of security professionals? (1)

kfg (145172) | more than 7 years ago | (#15299828)

. . .it's the security team's responsibility to make them less stupid.

You can make them less ignorant. You cannot make them less stupid. You can train the ignorant. You cannot train the stupid, because, well, they're stupid. Stupid is forever. That's the definition of stupid.

Security has to take the stupid into account, because they're out there, in your organization.

And boy, are they stupid.

KFG

Re:Failure of security professionals? (0)

Anonymous Coward | more than 7 years ago | (#15299961)

Your users are so stupid they DVDs in their CDROMs, then complain that the drive wont play their movie.

Your users are so stupid they tryed to plug their new phone into a ethernet port.

Your users are so stupid they keep laughing at the "your users are so stupid...." jokes.

You users are so stupid, when they go to "your" computer they think its theirs computer just because its in "their" cubbie.

Your users are so stupid they mixed up SIMM, DIMM, and RIMM.

Your users are so stupid they call you everytime they need to use a computer.

Your users are so stupid they think BOFH articles you post are not a warming.

Your users are so stupid they open all files marked "fr33 Pr0n, angelina jolie, BriTneY Spears, CHRISTINA AGUILERA, Lesbian Celeb orgy.mpeg.exe", and wonder why its not playing.

Your users are so stupid they put their password and login name on the computers background image.

Your users are so stupid they gave out their username and password for a file named "free lesbian ogry.mpg.exe".

You so stupid you actually read all this!

Re:Failure of security professionals? (2, Insightful)

kfg (145172) | more than 7 years ago | (#15300017)

Your users are so stupid they DVDs in their CDROMs, then complain that the drive wont play their movie.

Your users are so stupid they tryed to plug their new phone into a ethernet port.


This is ignorance, not stupidity. The people who wrote the jokes were too stupid to know the difference.

I like LBJ's line about stupidity:

They couldn't pour piss out of a boot if the instructions were written on the heel."

KFG

Re:Failure of security professionals? (1)

zuluechopapa (919551) | more than 7 years ago | (#15299898)

Er. I think I'd call bullshit. A security team is responsible for keeping infrastructure as secure (and still usable) as possible. Training is another issue in and of itself, and no amount of hand holding can overcome the problems of those who are going to be willfully ignorant.

Re:Failure of security professionals? (1)

SillyNickName4me (760022) | more than 7 years ago | (#15300081)

A security team is responsible for keeping infrastructure as secure (and still usable) as possible.

Sure, educated users are an extremely important part of keeping the infrastructure as secure as possible however.

How about if they refuse to "do as they're told"? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15299991)

Especially when they're senior management types? You can bitch all you want to anybody you can find who'll listen to you but at the end of the day most companies place senior management and they're desires ahead of those of the IT department: if Company Director X declines to follow IT dept guidlines on security procedures, there is nothing IT can do to him and his activities which won't result in the IT guys being fired.

So some Top Dog asshat opens a gaping hole into the company's system and there's not a damn thing IT can realistically do about it, bacause in most cases they are too far down the pecking order to get their way, but will still be blamed for the breaches and disasters that follow anyway.

Re:Failure of security professionals? (0)

Anonymous Coward | more than 7 years ago | (#15300066)

Bzzzt! It's not up to the security professional to enforce rules and common sense on the users. It's up to management, and management gets their recommendations from their security pro's. Management often chooses not to implement these recommendations...which is fine, that's while they're called management. If you want to lay the blame at someones feet, it has to be those who make the final judgement call on what to and not to do. This is, more often than not, at a management level. There are very few places where management can be overruled by the security dept. (the federal government is one). Not much can be done.

Re:Failure of security professionals? (1)

Kalzus (86795) | more than 7 years ago | (#15300112)

I have to disagree. There are two parallels:

- Saying that it's a teacher's responsibility to make certain a child grows up to be a responsible member of society. But, in most of the Western world at least, this is bollocks.
- Saying that it's a parent's responsibility to make certain a child grows up to be a responsible member of society, and that they are directly attributable for the failure. This, at least for me personally, is a Truth. However, there will be plenty of children who will grow into misanthropic, withdrawn or downright evil people.

There will not be success in this regard as per the OP's link's author's definition until the users themselves shape up. If "security professionals" attempt to force them, those users will generally arrange to nullify the efforts of said professionals. Because those users do not see a need to.

Observations of current behavior suggest that, frankly, most people don't handle cause-and-effect well and can't be bothered to take responsibility for their own actions without gross displays of effect. After all, there does not yet exist any way to directly kill or otherwise physically harm a person through their web browser.

Re:Failure of security professionals? (0)

Anonymous Coward | more than 7 years ago | (#15299706)

Excuse me? "drum up business"? Those of us within the field of InfoSec hardly have to drum up business. Count on sheer user stupidity and ignorance for that. There's more than one reason snopes.com exists. Selling Good Security in a corporate environment is MUCH harder than you think. As far as your Security horror stories? Pure FUD that flys over the top of execs heads who are still staring at the bottom line proposal of Firewall/IDS/IPS systems you have proposed with NO real ROI for the business. You need to realize that Functionality will always reside over Security unless you have a legal requirement. As much as it pains me to say this, lawyers (ugh) are going to be the only savior on this crusade to the ultimate ISO17799/BS7799 Corporate Security utopian envioronment. Until it is made illegal, it will remain unsecure. You want an example? Pick any Microsoft product. 'Nuff said.

Re:Failure of security professionals? (1)

Nutria (679911) | more than 7 years ago | (#15300063)

execs heads who are still staring at the bottom line proposal of Firewall/IDS/IPS systems you have proposed with NO real ROI for the business.

What you need to to is quantify the costs of the last 2 or 3 security breaches and worm/virus infestations, and those of other companies, and also the rules and fines and PR black eyes for exposing private information to the world.

Then compare those costs to to the cost of your proposed Firewall/IDS/IPS systems.

You need to realize that Functionality will always reside over Security unless you have a legal requirement.

Or a monetary imbalance.

Re:Failure of security professionals? (1)

Kirth (183) | more than 7 years ago | (#15300201)

The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s.

Yes, so what am I supposed to do? Shoot every Windows-salesman, electrocute all PCs running windows and blow up the Microsoft-campus. I'm pretty sure I could increase security in the long term by doing that... Would give nice headlines too: "Security professionals blow up Microsoft campus".

Sounds a bit harsh to me (5, Interesting)

giorgiofr (887762) | more than 7 years ago | (#15299635)

We as security professional are drastically failing ourselves, our community and the people we are meant to protect.

This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.

Re:Sounds a bit harsh to me (1)

Crayon Kid (700279) | more than 7 years ago | (#15299801)

This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be.

As opposed to what?! Bad is bad, especially in security, where one breach is all you need. I don't think there's any such thing as "secure to a degree". You're either secure or you're not.

Perhaps you meant that "the consequences are not as bad as they could be". But how much worse do you want it to get? So far the bad guys have been using victims' computers to send spam, DDoS attacks, phishing, empty bank accounts, steal email and IM accounts, spy your surfing, or bring the computer to a crawl with malware. What more do you want?

The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.

In that case, you're in serious need of some required reading. Try this for size: The Six Dumbest Ideas in Computer Security [ranum.com].

I think you'll find that the state of security today is bad, because it's being designed poorly from the ground up. Why blame the criminal who breaches the system when you can blame whoever made the system? A system of any kind should only allow break-ins if it was meant to, not by accident.

Why blame viruses and play catch-up with antivirus definitions instead of making the OS virus resistant? Why blame whoever sent you a self-executable IM or email message instead of the dumbass who allowed your IM or email client to execute it? Why blame phishing attacks instead of designing the DNS system properly? Why blame spammers instead of the happy-go-lucky thing called SMTP? Need I go on? If a system has potential for abuse, it will be abused, period.

Re:Sounds a bit harsh to me (1)

SillyNickName4me (760022) | more than 7 years ago | (#15300099)

I don't think there's any such thing as "secure to a degree". You're either secure or you're not.

Ah.. absolute security exists you believe?

You disqualified yourself from having an in any way relevant opinion about information security if you really believe that.

Re:Sounds a bit harsh to me (1)

hyfe (641811) | more than 7 years ago | (#15299924)

I'd rather blame the criminals.

Well. It's an extreemely good point.. however, I think the police / criminals analogy works on another level too; at first glance, you'd think it's the criminals that's making the streets unsafe, and not the police. Start looking around a little in the real world though, and you'll find plenty of countries where it's more or less debatable wether the police are solving more problems than they create (Russia, most parts of Africa and some parts of South America)..

Likewise, as bad as some internet security products are, it's atleast debatable wether they're causing more problems than they solve. How many geeks do you know that run Norton Antivirus (or whatever it's called nowadays)? (and yes, these products are by definition created by security profesionals (ie; people making a living by doing security)).

A real failure! (4, Insightful)

VincenzoRomano (881055) | more than 7 years ago | (#15299638)

Information security is failing also because information needs to be managed and addressed by non technical people! Also known as "normal people".
Techniques like phishing or social engineering, as well as a good dose of stupidity [slashdot.org] and ignorance, can make security technologies useless!
Like writing down on leaflets PINs and passwords or communicating them via email.

Re:A real failure! (1)

fatmal (920123) | more than 7 years ago | (#15299708)

Agree 100%. The issue is we as technologist often don't (can't?) communicate 'safe' behaviours, and quite often the end-user doesn't realise the importance of those behaviours until their information (or even personal) security is compromised.

Safe behaviour, in the real world or in technology, is a learned behaviour - you often need to get hurt first. Hopefully, that first experience isn't too damaging, but is just enough to allow people to learn from the experience.

Re:A real failure! (1)

vhogemann (797994) | more than 7 years ago | (#15299719)

I wish I could mod you up!!!

You can build the environment as safe as it gets... but if you can't enforce a secure behavior to your user, you can't be 100% secure.

Also, management end doing poor decisions based on the average user skills, like using Windows desktops ... or won't bother doing some sort of training to ensure that the users knows the security policy.

The average user must understand their role within the security plan, understand that good security has much more to do with good pratices and habits than with anti-virus software.

Re:A real failure! (1)

kfg (145172) | more than 7 years ago | (#15299915)

Like writing down on leaflets PINs and passwords or communicating them via email.

How about walking around telling everyone your password to demonstrate how clever you were in devising it (out of dictionary words).

Yes, a member of my own family, with a degree from Harvard (bit of local men's room grafitti: "At Skidmore we teach people to wash their hands after using the restroom." Somebody wrote under it: "At Harvard we teach them not to piss on their hands.").

The only effective security measure I know for behavior like this is to apply an LBI.

Some people like the LBIs that come from Louisville, but I'm a New England boy and prefer the LBIs from New Britain. The FatMax(r) incorporates tuning fork technology to reduce harmful vibrations that can cause arm and wrist injuries.

I like the 16 oz. myself, but I only go 130 lbs with dripping wet clothes on. You might acheive better results with the 20 oz.

KFG

Re:A real failure! (1)

kegon (766647) | more than 7 years ago | (#15299993)

as well as a good dose of stupidity and ignorance, can make security technologies useless

I disagree. It is the job of security technologies to protect ourselves from our own stupid actions. If people write down passwords then switch to a system that doesn't authenticate using passwords.

You can't just keep blaming users. Think, if for every bug you found in my software I said "That damn Microsoft!" or "That damn C++!". Saying my users shouldn't find the bugs is blinkered.

Wrong (0)

Anonymous Coward | more than 7 years ago | (#15299644)

It is definitely not our duty to protect companies.

It is our duty to protect our fellow human being and the job market.

This requires plenty of need for technical support to help stymie the massive influx of computer based attacks.

We have already come so far. We are enjoying a surge in business and growing salaries thus it is our mandate, first and foremost, to protect our fellow workers.

Free a port today.

Interesting but... (4, Interesting)

datafr0g (831498) | more than 7 years ago | (#15299650)

I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.

Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.

The Human Factor (4, Insightful)

CortoMaltese (828267) | more than 7 years ago | (#15299654)

I think TFA pretty much ignores the fact that for the average user, security is just a warm fuzzy feeling they get after they've installed a virus scanner, a firewall, and checked that there's an image of a closed yellow lock somewhere. For security professionals and the like (including myself) it's usually much easier to tackle the technical threats, while it's all too easy ignore the user, which is typically the weakest link in any security critical system.

I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.

Re:The Human Factor (3, Interesting)

Caledai (522776) | more than 7 years ago | (#15299750)

Bold Text = Me
Italic Text = Boss

In relation to giving access to a share for large files. [> 200GB]

Ok, give me the names you want to have write access to this share..
"I can't be bothered to give u all the names, just give them all access" - [Hundreds of Users]
You realise that defeats the purpose of having home folders & quota's & that they can delete anything on the drive, and that we have no backup policy or the facilities to back up that drive [> 200 GB]
So...Just Do It
Sound familiar anyone?
This is just basic NTFS and share access rights - nothing complex.
And I am just a technician - not a security consultant. If they ignore us when we say this - what makes you think they are going to listen to a consultant telling them something they have already dismissed?

Re:The Human Factor (1)

sendtwogrey (967794) | more than 7 years ago | (#15300040)

A response to that sort of ignorant mentality is Yes, Sure, No problem, I just need you to send me a memo resolving me of an internal and external legal action and contractual reasonability I have when corporate information IS lost or maliciously changed. (Yes, it'll also work with the company owner).

If you want a securer system and reduce your work load by 50% then upgrade your admin status to B*st*rd.

Have users agree to your terms and conditions every time they log on, yes it a pain but make it happen, point out that even schools and universities are being held accountable for their user's actions.

Adding or removing software: disciplinary matter

Using company email for personal use: disciplinary matter

Turn off internet access (you pay people to work) if they get round the system: disciplinary matter

download music or software : disciplinary matter

giving out your password : disciplinary matter

check management machines for porn/e-cards/funnies etc, then the next time they kick off about system problems, blame the problem an a virus from one above items.

Re:The Human Factor (1)

avasol (904335) | more than 7 years ago | (#15299768)

While I agree with you, your comment is too superficial to be of real value. The problem is always with the (l)user, just like a vast majority of airline crashes depend foremost on the human factor. But, in the case of an airline crash, or f.e car-crash, or tanker run aground, or ICMB missile exploding at base - there's always a recurring investigation that, while pinning the blame on some human factor, always finds reasons to stipulate further demands on the manufacturers/vendors.

In the case of software, this never happens. Why? Why is Microsoft not under official scrutiny each time Bank of America loses 1 million accounts? Yes boss, we all understand that users/retailers have willingly forfeit their right to sue for compensation of these losses that inevitably hurt the end-user. My question is, for how much longer will this be tolerated and when will the government (any government!) act on this.

Ultimately, the software industry has been able to entirely block off external pressure from legislators. It's a free license to print your own money, which is quite evident because everyone knows if Microsoft could be held liable for their sometimes downright idiotic software, it would not be a fraction of the colossus it is today. Perhaps wouldn't even exist.

One can always dream.

Re:The Human Factor (1)

CortoMaltese (828267) | more than 7 years ago | (#15299982)

While I agree with you, your comment is too superficial to be of real value.
Yes, I know my comment was superficial and downright obvious, but yet it was something totally missing in TFA. It was just something I wanted to point out, and I wasn't really disagreeing with the article.

I also agree with you that the software industry should take (or be forced to take) more responsibility for the products. Security is not something the consultants or security professionals can patch later as an add-on.

But there's another aspect: in general, software is not simple. Software products are not simple. If you fly a plane or drive a car, you're expected to know how to do it, to have some sort of training in it, and no security features will ever be able to compensate if you don't know how to do it.

Software should probably be simpler and easier to use, so that you could handle it with less knowledge and training. Simpler is often, but not always, also more secure. But, as they say, if you create a product that an idiot could use, only an idiot would want to use it... And there are tasks where no simple solution will do.

Professional Regulation (2, Interesting)

jtvisona (971081) | more than 7 years ago | (#15299655)

It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they are all important types of busses, no?), then data people have to be better trained and regulated like power and control people. Ah, but it's a nascent profession...

Re:Professional Regulation (1)

Niet3sche (534663) | more than 7 years ago | (#15299679)

It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they are all important types of busses, no?), then data people have to be better trained and regulated like power and control people. Ah, but it's a nascent profession...

I assume that you refer to the CISSP exam (or the Cisco CCxx security track?) in the first statement above. That's not really what I'd like to respond to, but the exams are fairly comprehensive and give a good "flavor" of what to look for as well as a "painting with broad strokes" overview of threat models and the like that face security personnel. However, I'm more concerned with the other point in your comment, which seems to point to a conclusion that the exams exist in a vacuum and are the only means/metric by which security personnel may be judged. This is just not the case. Depending on what you want in a "consultant", and depending on your approach (e.g. basic vs. applied research bent), there are exams and degree programs that exist, but the best measure of a security consultant is - I believe - the same as any other field:

* Do they come recommended?

* Do they appear to know what they're doing?

* Finally, do they appear to genuinely understand where security sits in the larger framework of an organization's infrastructure and develop a solution accordingly?

Just summing it up - unless I've misunderstood the grounding and guiding tenure of your post - with a flippant anyone can take a CompTIA exam and be a security consultant does not take into account the true nature of how things are done when individuals have a clue. (Yes, the last part is important)

I see the call for regulation that you are making here, but I think there are other (e.g. "market") forces involved. I am uncertain that regulation would in itself be able to fully cover this, as people's social and business networks have proven difficult to trump in applied practice.

Re:Professional Regulation (1)

fireboy1919 (257783) | more than 7 years ago | (#15300131)

You have to take a security test to be a consultant? So...if I'm going to be designing a webpage for a washing machine company I have to take a security test?

Very silly.

Having to take a test for actual security people are as well.

The fundamental principals of security aren't that hard. Not hard enough to require a test:
1) Validate all inputs coming from insecure ports. Assume that all data from them is untrustworthy. Don't allow any kind of write access to your data on insecure ports. Don't allow password validation at all on insecure channels.
2) Store all authentication information in a salted one-way hash. Don't write the algorithm that does this yourself. Use one that's already had a hundred thousand eyeballs look at it and no one who found its flaw (so not MD5).
3) Know and inform everyone that any time you do public key passing via an unsecure channel (i.e. http) you're creating a point of entry for man-in-the-middle attack so that you need to use switches rather than hubs. Other than that its up to the internet service providers to keep that sort of thing from happening.

Those are the "be a good sysadmin" rules. Then there's the programmer rules:
1) Same as rule #1 above, but replace "insecure ports" with "anywhere outside the program." Also included in this - most especially - is making sure that the length of null terminated data can not exceed its available space. Nearly all exploits begin as buffer overflows.
2) Don't make up any algorithms of your own to handle security. Don't bolt security things on to an existing security algorithm. You'll get it wrong like WEP did. Use existing algorithms exactly the way that they were intended to be used with no creativity on your part. Preferably by using someone else's code that has already been inspected highly. Invented things aren't secure until they've had a few hundred thousand eyes look at 'em.

The rules to security are simple. Having a certificate is not going to do much to increase the likelihood that you follow the simple rules. The problem is that all it sometimes takes is one moment of weakness to cause a huge problem - not that people don't know the rules.

At least I hope this is true, and tend to think that it is.

Joint Stewardship of Earth (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15299666)

The Coming Singularity [blogcharm.com] compells us to get our security act together before all is lost and our technological world collapses.

Security in artificial intelligence [iuniverse.com] is approaching a winner-takes-all moment of truth on which hangs the fate of the world.

The Joint Stewardship of Earth [wikocracy.com] under human and robot control requires mutually assured defusing (MAD) of security issues for the legacy human society and the supervenient robot society.

PEBKAC (5, Funny)

Opportunist (166417) | more than 7 years ago | (#15299676)

I live and thrive on the inability of people. It's my job to find and eliminate trojans, worms and other malware.

Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.

Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?

Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.

Re:PEBKAC (1)

$RANDOMLUSER (804576) | more than 7 years ago | (#15299730)

One minor quibble: it's PEBCAK (Problem Exists Between Chair And Keyboard).

Re:PEBKAC (1)

Opportunist (166417) | more than 7 years ago | (#15299755)

I learned it as "Problem exists between keyboard and chair"

Either way, doesn't really matter I guess. It doesn't solve the problem, the only good solution I found for this problem is vitriol.

Re:PEBKAC (4, Funny)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#15299887)

One minor quibble: it's PEBCAK (Problem Exists Between Chair And Keyboard).

Either is fine. The product of stupidity and computers is commutative.

Re:PEBKAC (1)

sshutt (785646) | more than 7 years ago | (#15299762)

The best any of us can do is set up systems to minimise any problems caused by our users, managers think they need admin rights to all systems, in a lot of cases its just easier to set everyone up as an admin as so much seems to depend on it lately. You cant set up decent security because the users complain, make screens lock if they go into screen saver? cant have that because it takes time to unlock enforce complicated password policies? they get written down the best we can do is protect a system with anti virus, and catch any intrusions that happen before they have any serious effects

My House isn't 100% secure! (3, Insightful)

rolfwind (528248) | more than 7 years ago | (#15299680)

It must be someone's fault it's not perfect. Okay, I don't want a tomb but be able to interact with the outside world, so I still want doors and windows. But I think the contractors are secretly conspiring together and failing us security wise, because there should be completely unbreakable windows & non-pickable locks on the marketplace. WAAAAH!

Re:My House isn't 100% secure! (1)

surprise_audit (575743) | more than 7 years ago | (#15299922)

Forget the doors and windows, anyone who really wants in will bring along a chainsaw and go straight through the wall...

Re:My House isn't 100% secure! (0)

Anonymous Coward | more than 7 years ago | (#15300257)

I have yet to see a house that Ty Pennington [go.com] couldn't break into. All it takes is the right tools!

Corporate mentality (5, Interesting)

Aceticon (140883) | more than 7 years ago | (#15299689)

The management level corporate posture towards IT security goes like this:
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.

In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.

And now IT Security professionals are to blame?

What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????

Re:Corporate mentality (1)

Demerara (256642) | more than 7 years ago | (#15299934)

The management level corporate posture towards IT security goes like this:
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.


Spot on. Corporations who are legally mandated to secure their information systems will spend the mimimum to achieve compliance. Absent this, they'll spend nothing unless it effects the bottom line and shareholder value.

Information security professionals are no more responsible for the consequences of ignored advice than are weather forecasters for damage caused by hurricanes.

At first, I thought the article was flamebait but it is an interesting read - a good overview of the harsh environment.

Re:Corporate mentality (1)

surprise_audit (575743) | more than 7 years ago | (#15299946)

Around here, we're standardising on Windows XP, with Outlook/Exchange for email and Internet Explorer for browsing. A fair proportion of internal web pages are broken in any other browser, even going as far as to redirect you to a page with a link to download the approved version of IE. Oh, and everyone is slowly being upgraded to laptops when their desktop systems become old enough to warrant it....

And yet there's annual, mandatory, Security Awareness training. One year I was able to get a perfect score by using right-click->view-page-source, because the multiple-guess questions came loaded with the correct answers...

Failing (2, Insightful)

mulhall (301406) | more than 7 years ago | (#15299692)

"We as security professional are drastically failing ourselves, our community and the people we are meant to protect"

BS

You cannot solve cultural problems with technology:

http://news.bbc.co.uk/2/hi/technology/3639679.stm [bbc.co.uk]

Re:Failing (1)

Maximum Prophet (716608) | more than 7 years ago | (#15300196)

Sure you can. I have locks on my doors and trained dogs. If a criminal were to select my house, these simple technologies will send him to a softer target most of the time.

Now if you are taking about the existence of crime itself as the "cultural problem", then I'm more likly to agree with you, but pyschology is making leaps and bounds in determining why people commit crimes. Think "Gattaca" or "Minority Report" and others where technology solved problem X, and created a much bigger problem Y.

In conclusion, yes sir, technology can solve all your problems, but then it's up to you to deal with the Giant Killer Robots(tm). (Which in my opinion, are long overdue (:-)

90% of "security professionals" suck (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#15299694)

Most of the so-called Computer Security professionals I've met suck.

Hmmm... (2, Insightful)

Mostly a lurker (634878) | more than 7 years ago | (#15299698)

Microsoft has had over two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem.
Yep: it tells us exactly nothing about the overall size of the malicious software problem. It does, however, indicate that users are using Windows Update (either automatically or manually). [The malicious software removal tool is a critical update.] It is good news that Microsoft has persuaded users to keep up to date on critical updates, I guess.

Security bullsh*t :) (1)

xdesk (550151) | more than 7 years ago | (#15299704)

Security is pretty much at the point where we want and are prepared to pay ... and in a world not quite perfect :)

It's not the professionals... (1)

bulldogzerofive (947922) | more than 7 years ago | (#15299711)

... it's the end users who are responsible for this dismal state, IMHO. The article makes the case that despite a growing amount of software designed to protect us, it is not working as well. I would argue that the software and implementations probably ARE working better than they used to. However, as software gets better and easier to use, people spend less time learning how to use it simply because they think that it is better and easier to use than what they used to have. So, firewalls are not configured properly, AV programs are not run frequently with the user paying attention, and of course people install crap thinking their security software will protect them. Then there is the old social engineering problem. And there is nothing that security professionals can do against lazy users. Of course, I am not addressing some of the higher level network-security-in-a-corporate-setting arguments the author makes, but I myself am just an end user, so anything I could say to that would be, well, irrelevant.

An Important Note (2, Insightful)

Effugas (2378) | more than 7 years ago | (#15299715)

In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.

We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.

IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.

That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.

Re:An Important Note (2, Insightful)

Maximum Prophet (716608) | more than 7 years ago | (#15300281)

Gack... That's because those worms were simply malicious. The newer cybercriminal is getting paid for his work, so he's more likely to lie low. Once he's compromised a machine, he doesn't want to get caught by interfering with the owner. Formatting the hard drive, or deleting files is sure to get you noticed. Most of the time these days, users don't know anything is wrong until they have multiple bots on their machine whose combined impact makes their machine impossibly slow.

Take a look at the real world (1)

SmallFurryCreature (593017) | more than 7 years ago | (#15299720)

How many people bother to protect their house UNTIL they been burgled? How much inconvenience are we willing to accept to avoid being mugged. (Camera surveillance, random searches, etc)

In the real world a society has only got to deal with a limited set of criminals. The criminals in that society. Not that many nigerian cat burglars who hop over to europe for a quick breakin (I am not going to touch immigration problems today thank you, it is to hot for a flamewar).

But on the net the society is 6 billion and anyone of them can try to see if you left your window unlocked.

Yes it is sad that in the real world you have to put your bike behind a locked fence and the bike itself locked and chained or be told of by the police for leaving your bike to be stolen in your own garden but that is the way it is.

Either we are willing to pay for massive more police, more restrictive laws and larger jails (and some might say freedom again a subject I am not going to touch today) or we have to live with crime.

We could easily secure our computers and the information they contain but to do so would require a lot more work on our part, remove some easy access as well as require measures against people who leave things open.

Did you know that in the real world the police spends time informing people about house safety? That there are even laws against making theft to easy? That is the reason why all shoes on display outside are either left or right ONLY (I never remember wich). Cause a shopowner that has both outside and gets them stolen will receive very little sympathy from the police.

Yet we keep runnings windows, install every flashing free program we find and open emails that promise us naked pictures.

When the user wants to do insecure stuff there is little you can do to stop them.

A ridiculous article (4, Interesting)

rann (533322) | more than 7 years ago | (#15299726)

I usually don't post but this article is really too much.

In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!

News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?

Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.

I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.

Short Story of Security and Seatbelts (1)

Teacher's Pet (875411) | more than 7 years ago | (#15299736)

a few of the replies are already pointing to the human element. a while back, someone made an information security analogy to the use of seat belts.
it went kinda like this:

- used to be that seat belts did not exist, yet cars could travel pretty fast (40-50mph). back then, if you crashed you pretty much assumed you ate the dash.
- then seat belts were created, but people still ate the dash.
- then belts were required in all cars, but the dash still tasted good.
- then belts were required for use,
- and air bags came out (ha ha).

--> ok. i got no stats, but it's possible that less people eat dash today because of better default "security" settings in cars *and* better use by the users. oh, and some where along the way, drinking and driving was considered bad.

(pretty sure i first saw this example in a presentation by m. ranum)

--
"I promise to be different..."

This makes no sense (5, Insightful)

Mr_Tulip (639140) | more than 7 years ago | (#15299756)

As someone who is responsible in part for network security where I work, I would disagree that we are not doing 'enough'.

The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.

To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.

The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.

Is it really that hard? (4, Interesting)

Phemur (448472) | more than 7 years ago | (#15299802)

I'm honestly not trying to flame or be sarcastic; I truly don't understand the issue from a user's point of view. My computers have been infected once by spyware in the last 10 years. No viruses, no rootkits, no malware nothing. Since I'm not an information security expert, I don't have l33t skills to help me stay secure, so why have I not been affected?

Seriously, I'm asking. :-)

Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.

They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.

Other than that, there isn't much security software installed. I don't even have an anti-virus.

I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.

The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.

(As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).

So what's the problem? Is it bad habits, or is it really that bad out there?

Phemur

Re:Is it really that hard? (1)

sshutt (785646) | more than 7 years ago | (#15299872)

I'd say its a bit of both theres people with bad habbits and theres alot of viruses worms and trojans out there.
Last year (I dont know if its any better now) if you connected directly to the internet with an unpached unfirewalled system, chances are that you'd have some kind of virus/worm infect your computer within 30 seconds.

It sounds like you have a pretty good set up there though, and some good habits but I'd still recommend getting some free antivirus just in case, not that any of my machines ever find anything, but its extra peice of mind.

Our biggest dificulty is teaching everyone with a computer good practices, so they can protect themselves so we don't have to, but that would put a lot of support staff out of their jobs.

Re:Is it really that hard? (2, Insightful)

mikehilly (653401) | more than 7 years ago | (#15299877)

I do a lot of side work helping people with computer both in a home and office arena....

You and your wife spent some time preparing and getting some type of defense up AND maintaining it. The great majority of people I deal with think that they can install Windows update once and they will be good. Or my favorite, "I have XP (windows) so I don't know what could have gone wrong." People click where they shouldn't click, go where they shouldn't go and do things without thinking.

The only good analogy to help people understand the importance of security updates is vaccines for children. They may have to go back periodically to the Doctor to make sure all their shots are up to date. And if you think of the web as a disease ridden place, then it would make sense to wear some type of protection when you muck through it.

You hit the nail on the head here. Three things are needed for a mostly safe computer experience:

1: Some basic user education (could be the hardest one)

2: Tools like Firefox, AdAware, Windows update, Firewall. Get em, use em.

3: UPDATES!!! what good is a vaccine if it is out of date? Get regular updates for Windows, Firefox, and other tools.

Most people are clueless when it comes to all three.

Re:Is it really that hard? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15299967)

Don't have kids, do you?

Most security problems do not enter the company through the company firewall/mail gateway. They are *carried* into the building on employees (surprisingly often: managers) laptops. Laptops that are used at home for the kids to play with, browse the web or whatever. Or for the own employees entertainment.

I don't have kids but a while ago I had a friend visit me, together with her 12-year old daughter. We kinda lost track of her whereabouts and found her behind my company laptop (in my study) on MSN or something like that. I run Linux and was logged in as myself, not as root, so the damage that she could have done to the OS was minor, but she got told off anyway. She now knows next time she'll have to ask and she's got her own account now on my private desktop. But how many people will happily let their or other peoples kids use a company laptop while being logged in as Administrator?

Another poster suggested that all laptops should be on a separate network, and I presume he also meant that this network should be firewalled off from the rest of the company network in such a fashion that only the standard applications/protocols are allowed. (Better yet: firewall each laptop off from the other laptops.) Unfortunately, in large companies with a mixed desktop/laptop environment, this is incredibly difficult to achieve.

Ignorance Is Bliss? (5, Insightful)

LanMan04 (790429) | more than 7 years ago | (#15299979)

If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.

To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.

Is this little traffic light on your router blinking 24/7? :)

Not only information security (1)

houghi (78078) | more than 7 years ago | (#15299827)

Also other security. Things are getting stolen Learn to live with it. That does not mean nothing must be done. We must do things, but also realize that things will get stolen, no matter what.

The thing I see is that almost nobody deals with what to do IF things get stolen. I had a talk with somebody and asked him what he would do if he knew that his database was stolen and competistion got hold of it. His answer was: nothing.

Perhaps there lies the problem. People are not being punisched if they do something wrong. They get fired when they watch pr0n at their job, but no real ssue if they use an usnsecure password. Instead the company sues 'the hacker'.

No resposabilty is taken.

Where is our backup? (1, Informative)

Anonymous Coward | more than 7 years ago | (#15299829)

The failings of information security are (99.99% of the time) not the fault of the officers within that department. The lack of management buy-in to support policies is our number one problem. The technical teams (server managers, network support etc) see us as a hinderence which must be battled and argued with (sometimes just for the hell of it) every step of the way. We offer numerous suggestions on how we can integrate our teams and communicate better, and then we're promptly ignored. We offer to help develop secure baseline builds for OS installs and router/switch configs and then are basically told to "get stuffed" by the people in those teams. Management have little to no interest in the concerns we document and supply to them, and even when the issues are taken up the food chain they get sidelined as it is always deemed too much hassle. We invite external vendors in to help us develop a patching procedure and customise our backup processes to suit our environment, then the server admins do something completely different claiming that they don't want to be responsible for maintain the supporting documentation. HR refuse to update their AUP acceptance process because they don't want to manage the overhead, despite us advising them numerous times that if the users have not acknowledged the policies then prosecuting "unauthorised access" under the Computer Misuse Act is made so much more difficult.

US Govt IT security - waste waste waste (1, Informative)

Anonymous Coward | more than 7 years ago | (#15299833)

I work in USG IT - in the dissemination area (websites). We are spending more on IT security paperwork then anything else. Security documentation "C&A" packages are written in the field, rewritten, reviewed at a regional HQ, rewritten, reviewed at a national HQ, rewritten, reviewed by a 3rd party contractor, rewritten, reviewed again at HQ, rewritten, then passed up to the next level of government and the process starts all over again. We are a line office, so there is the bureau layer, then the cabinet agency level before the C&A package goes to GAO for grading.

Bet for every $100 spent on the paperwork, less then $1 is spent actually securing systems. The IT security officer's budget dwarfs the dissemination budget and our information saves lives.

We have more contractors reviewing C&A's then programers creating code to deliver our information. Out of this army of contractors, there is a single USG employee who is an outstanding system security engineer and is someone we can go to for a technical solution. And the line outside this guy's cube is long.

And the joke of it all is after all this review, GAO still gives us a grade of D-.

Re:US Govt IT security - waste waste waste (0)

Anonymous Coward | more than 7 years ago | (#15300243)

Reminds me of a fortune quote I saw on /. the other day:
If you took all the grains of sand on a beach, and laid them in a row, you'd be working for the government!

Failure to adjust to the system. (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15299836)

The problem these security experts have is that they have workmanship pride, and human decency. These things are drawbacks in the capitalist (especially the US) system. It is designed to maximise capital growth. It does not maximise human happiness or the growth of humanity, though a lot of people who benefit from the system to the detriment of others would like you to believe that.

The perfect slave is one that has been convinced that the shackles are for his own good.

Then change it (1)

sl4shd0rk (755837) | more than 7 years ago | (#15299841)

The worst thing you can do when you find yourself in a hole is to keep digging. If you are unhappy with your security infrastructure, then change it. Don't just 'accept' it as 'dismal' because your software vendor pimps that out as your only option. For all I know the person reading this right now has my personal information on their network somewhere, and the only thing between my information and some cracker is a piss poor security decision they've 'accepted'.

Eternal Vigilance (1)

digitaldc (879047) | more than 7 years ago | (#15299848)

Your security is only as good as how thorough your actions are in combating the problem.

Unfortunately, you must protect your data constantly and train your staff accordingly. One weak link can ruin everything.

Most security "pro"s are still tech noobs (1)

BadassJesus (939844) | more than 7 years ago | (#15299853)

We as security professional are drastically failing ourselves, our community and the people we are meant to protect.

Most of them just fish on securityfocus.com and keep all the machines with the latest patches, thats all they can do. They do not have the knowledge or tools to further explore the realm of computing and networking underneath the watched OSses, no way to gain further insight of what is really happening there, they can't ever be sure any data leakeage isn't occuring.

because I.T. Security Pro = scapegoat (3, Insightful)

ManyLostPackets (646646) | more than 7 years ago | (#15299890)

I've specifically decided not to go for any security certs because of hoo-haw attitudes demonstrated in articles like this. As a regular sys-admin, no one listens to my recommendations in the first place, why ratchet up the accountability by being a certified scapegoat?

This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.

Noam looking for a job again? (1)

grindcorefan (959282) | more than 7 years ago | (#15299902)

Aha, so Noam Eppel is craving for attention again. What is it he needs this time, then? Job, money, 53x, foot massage?

Or has he finally realised that They Are Out To Get Him(tm)?

His doomsday scenario reminds me of an "interesting" article on uncoclypedia: http://uncyclopedia.org/wiki/Bird_Flu [uncyclopedia.org]

Only, the article on uncoclypedia is funnier...

Not trolling in anyway but . . . (1)

ElephanTS (624421) | more than 7 years ago | (#15299919)

There is no way security can really improve while MS Windows is on the majority of the desktops out there. I'm sure everyone of these security professionals must know this but why kill the golden goose?

This is a failure of capitalism! (0)

Anonymous Coward | more than 7 years ago | (#15299931)

Think of all the money that flows through the world economy because of Crime, this is why crime prevention is usually doublethink. Take the AV companies, how could they be in the business of fixing the virus problem, when they would have no business model without viruses? Neither do Microsoft have any interest in ever fixing windows, especially whilst they can generate additional revenue from anti virus products.

Once you create economic opportunity under this system, you create dependants who will fight to maintain it.

Crime prevention:

Ensuring that society encourages crime and maintains it at levels where people continue to make money.
 
See also: Protection Racket

Won't change anytime soon... (1)

duh_lime (583156) | more than 7 years ago | (#15299955)

Security is HARD when it's architected into a system from the beginning. Security is impossible when it's an afterthought. Translation: The situation will not improve until the the current crop of operating systems, applications, utilities, etc., are completely replaced by attrition with new code that has security at its core and foundation - that was *architected* to be secure. Of course, security architecture needs to start at the top. 99% of what's out there now, if it has any security at all, had security "bolted on" as an afterthough. This problem is not going away anytime soon. I'm not holding my breath. But, in the meantime, I just consider it "job security" and constant triage.

Failure of management (1)

192939495969798999 (58312) | more than 7 years ago | (#15299970)

It's not the failure of the security professionals, it's the failure of management to not respect the wishes of the system security. I can't tell you how many times I've seen a perfectly good security solution just get circumvented by management, or else the security people are fired. If management people took security seriously, rules would not be broken that way.

we are failing? (1)

Abstract_Me (799786) | more than 7 years ago | (#15299977)

how about doing the best job we can with what we are presented. Security can't happen over night and with firms just now starting to hire security professionals we have to go into their business and first geta grasp on their current practises. from there you have to work at changing years of insecure procedures while at the same time working on the security of the tech side with the very little funding you are allocated.

I guess what im asking is are we actually failing at our job? or are we just taking longer to do it then we would like.

Missing the Point (1)

vtcodger (957785) | more than 7 years ago | (#15299996)

Seems to me that most of the responses miss the point. The point is that the computer industry to a very great extent does not know HOW to build a secure system. At least not if the system is hooked up to an external network. And things are, it is asserted, getting worse, not better.

I think the article's case for eventual total security breakdown is a bit overstated, but not wildly so.

The question that we should be asking is ... If current trends continue, ten years from now will we be able to safely connect to the Internet (or any similar network) for any purpose whatsoever? IMHO, That's a really good question.

Securely Stupid (1)

BoredWolf (965951) | more than 7 years ago | (#15300018)

It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken.
Most of the listed issues are a result of user stupidity. Clicking on banner ads, links in e-mails, porn sites, etc. The real failure lies in user ignorance/stupidity and company infrastructure. The reason we hear so much about identity theft is simply that companies comply with only the minimum standards for encryption and user information security. For this, it is the responsibility of the company to go above and beyond what the government requires, and provide security which might at least pose a challenge to hackers. The best solution for IT professionals is to inform users of the risks posed by their internet usage, and to urge the higher-ups that a more robust security plan helps to foster a sense of trust in customers (maybe they'll buy that). However, I do not feel that it is solely the fault of IT departments for security breaches. To paraphrase Drew McDermott: Artificial Intelligence is no match for Natural Stupidity.

Re:Securely Stupid (0)

Anonymous Coward | more than 7 years ago | (#15300116)

This raises an important point concerning why the article is a bit of scaremongering. Security isn't just the responsibility of The Security Department. After all, you driving the speed limit isn't just the responsbility of the police, is it?

Further, security should never be absolute: it should always be a balancing act between risk and controls. If it wasn't then we would just turn off the Internet and everything would be fixed.

I work for a global company with very good security which has so many third parties on our network that even our competitors have IDs in our Active Directory domain. Its because of all the joint ventures we execute with them and the situation reflects our business deciding that we can use alternative controls to achieve the risk level they want.

I blame the companies and management (1)

denjin (115496) | more than 7 years ago | (#15300064)

I work in an industry that should take security more seriously...

However, we didn't even get any MONEY last year from the budget, and this year I imagine it gets axed as well. No matter how hard we try, things stay in reactive mode. Yes, I suppose it is good that we've done our job well enough to stave off any disaster, but given the pittance we get budget-wise, I doubt this continues forever.

I also doubt I'm alone. We have little to no upper management support, and jobs that should be in security like some VPN, web filtering, malware softare, etc. are in other groups.

It's a bit hard to do your job when people think security doesn't deserve any support, right?

Coincidence? (1)

LaughingCoder (914424) | more than 7 years ago | (#15300096)

So I go to read the article, and I notice my browser window title bar reads:

Security Absurdity.com > Security Absurdity; The Complete, Unquestionable, And Total Failure of - Microsoft Internet Explorer"

Now was this an accident or did the authors deliberately lengthen their article title to make this happen?

salary? (1)

Tom (822) | more than 7 years ago | (#15300108)

Security professionals are enjoying a surge in business and growing salaries

Uh? Since when? Security has been undervalued for years and there are two main reasons why the security of almost every company is shoddy at best: a) not enough budget and b) the human factor (i.e. invent a foolproof system and the world will invent a better fool).

Information Security is impossible (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15300110)

Information Risk Managers didn't fail; their profession matured to the point that they realized that there is no such thing as "Security" and attempting to secure information from all commers is doomed to failure. The goal of our profession is "Risk Management" which involves:

Identifying what is at risk.
Identifying the threats to the assets.
Assisting the business assign value to those assets. (Yes the business and not the Security prof. is end decider on value)
Analizing the risk to those assets from identified threats
Assitsting the business in a risk assessment.

Information Risks are just that Risks. Business have been making decisions around business risks for ages and the successful ones stay in business. Nothing new here move along move along.

If you still think you can provide "Security" then you are indeed a failure; however, with some new training and a slight ego reduction you can start over as a Information Risk Manager.

Failure of security professionals? (1)

frankencat (946892) | more than 7 years ago | (#15300129)

As an IT professional and someone responsible for systems all over the US I must emphatically say - BULLHONKERS.

The elephant in the room (5, Insightful)

stinky wizzleteats (552063) | more than 7 years ago | (#15300163)

If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.

When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.

In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.

The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?

Do as I say not as I do (0)

Anonymous Coward | more than 7 years ago | (#15300222)

From TFA:
Security is a full time job which requires hiring skillful and dedicated security professionals and purchasing a deluge of costly technology systems and devices.

If only the management and "IT" dept at my place of work could be convinced of this fact. A security professional, with a useful budget could have a field day in finding issues here - hell, I could show them a few myself.

Despite having been told that various passwords are insecure, said passwords still haven't been changed "because it is easier". This is even the case where such passwords do not even conform to their OWN password and computer security documentation. Or where the method of implementation is poor - not enabling shadow passwording, having max significant characters of 8 on a linux box, using telnet for logins oven the LAN rather than ssh, lack of coherent security policy for laptops until about last year, etc, etc.

You can lead a horse (yourself) to water, but you cannot make them (yourself) drink.

sigh troll story (0)

Anonymous Coward | more than 7 years ago | (#15300291)

since when is this news, this is repeating what weve already known since windows 95.....
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...