SoylentNews is people
SoylentNews
Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we're drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.
"The government is very reactive," said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. "Over time we've learned it wasn't working - just being reactive, not proactive."
Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.
On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business' people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.
The fact of the matter is that companies don't get their own infosec problems and don't care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.
-- submitted from IRC
(Score: 4, Interesting) by Justin Case on Wednesday February 15 2017, @12:20PM
The hackers are winning because they know how to write code.
Look at the massive efforts to "secure" stuff (an impossible goal). They are based around compliance. Take PCI for example (the payment card "security" standard). It was in place well before Target was hacked to the tune of 100 million or so credit cards. So either:
1. Target was not PCI compliant, but they were allowed to continue processing credit cards anyway, or
2. Target was PCI compliant, which is worth approximately one pantsload when you come up against real hackers who are testing your systems, not your paperwork.
It is just like the well known gap in software development between the specs, the manuals, and the code. When the paper and the code disagrees, the code wins. The code dictates what will actually happen. The paper is a mountain of wishful thinking.
We are fighting hackers with paper. Stupid!
(Score: 5, Interesting) by Kromagv0 on Wednesday February 15 2017, @01:48PM
When it comes to Target I would bet that they were PCI DSS [pcisecuritystandards.org] compliant. When one reads about what happened [zdnet.com] it becomes clear that being PCI DSS compliant doesn't stop this type of attack. When you hop from HVAC system to servers to PoS terminals and grab the credit card info as it is being read as in this case that there were clear security issues that are not addressed by PCI DSS. Furthermore even though Target did have a NIDS [wikipedia.org] it didn't provide the security necessary as it was generating tons of false positives so the actual alerts about the attack got lost in in noise. The Target breach is a good case study in how any number of simple steps could have prevented the attack. Such as:
1. Disallowing remote access to the HVAC system and changing the default password (the entry point of the attack)
2. Proper network segmentation to keep things like the HVAC and public WiFi, PoS terminals, and back end servers separated
3. Proper network firewall rules to prevent strange traffic from going between different network segments
4. Proper host based firewall rules to prevent machines accepting connection or making connections to hosts they aren't suppose to talk to
5. A HIDS tool to detect when things changes
Likely any one of those actions would have stopped the attack. I have long maintained that PCI DSS is a rather big joke for a security standard as it is mostly just paper documentation but there are some good standards [nerc.com], guidelines [energy.gov], and benchmarks [cisecurity.org] available that when implemented provide a good start for how to stop and prevent attacks. If one would prefer there are always government [nist.gov] provided [osd.mil] ones [nist.gov] as well. It isn't like we were talking about the a state actor carrying out an attack on December 23, 2015 against a power grid [sans.org].
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 3, Insightful) by Thexalon on Wednesday February 15 2017, @02:36PM
I've worked a lot on online billing systems.
It is completely true that PCI-DSS does not guarantee that your system is secure.
However, it's also true that *not* following PCI-DSS pretty well guarantees that your system is insecure. I've encountered these kinds of things in the wild, mostly because I tend to get hired after they've been caught with a broken system, and almost invariably I can easily get access to things I shouldn't be able to access. Including things that the companies in question shouldn't even be storing, like CVV2.
If you go through the PCI-DSS checklist and take it seriously, you will end up with a much more secure system than if you go through the PCI-DSS checklist and try to cut corners. Unfortunately, like everything else in business, the instinct of most business-people is to cut corners.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by Kromagv0 on Wednesday February 15 2017, @03:08PM
I just take issue with PCI DSS because I find it to be pretty lax but then I end up having to deal with the NERC CIP standards which go well beyond PCI DSS. I view PCI DSS as basically being the bare minimum that one should do and wouldn't mind if companies that don't at least adhere to it be held criminally negligent when a hack occurs. Also PCI DSS seems to have been written by people in management and accounting and seems geared to that mindset. I also take issue with NERC CIP for much the same reason as I find it doesn't go far enough but there is a lot of inertia to keep doing things the way they have been done in the past. So I keep pushing and gradually things changes even if not as fast as I would like. Also having worked with NERC CIP auditors I have been trying to influence them towards the more strict interpretations.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 2) by captain normal on Wednesday February 15 2017, @05:33PM
Bingo! The IoT is a really big concern. In fact if you actually RTFA, the big warning at the end is a coming IoT botnet "that could take down the internet for serious periods of time."
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 2) by sjames on Wednesday February 15 2017, @08:03PM
Item 1 would have been problematic since the attackers got into the HVAC via the company that services their HVAC. However, item 2 (bolstered by 3) would have stopped the attack cold. Likewise 4 and 5, which would stop a few other types of attack as well.
For belt and suspenders, I would add active reporting of martians on each vlan so any failure to accomplish your steps 2 and 3 can be detected and fixed. Running something like arpwatch would also be helpful. The catch is, it requires having people who actually know what arp is in detail. For that matter, the first suggestion requires actually knowing enough about each vlan and IP to know if it belongs there or not. It's surprising how many organizations have no idea who uses what IP or even what IP ranges are supposed to be in use.
Among other things, I do network security evaluations. You might be shocked at how hard it is for some places to come up with a list of their internal IP ranges and (more scary) a list of those that might involve life critical functions that need to be handled carefully.
(Score: 2) by Kromagv0 on Thursday February 16 2017, @05:27PM
There are a lot of other tools and technologies that could have helped stop the attack. The items I listed were ones that are all pretty basic and should have been done anyway but either weren't or were so poorly done (their NIDS for example) as to be completely worthless and were there just as a checkbox item not configured.
I do security audits, pen tests, as well as other evaluations and have experienced exactly what you mention. Nothing beats asking a customer what some device is, having them not know, finding the switch it is connect to and following a wire off to some log forgotten device. Found a number of old tape backup devices that way at various locations, some old servers, people who had rogue access points, etc. I do like it when the owner put a post-it with their name on the access point as I'm sure it makes life miserable for them after that.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 2, Informative) by Arik on Wednesday February 15 2017, @01:57PM
Computer security was awful when I started in the 80s but it's just gotten even more awful every year. At this point so much of our basic infrastructure is so fundamentally insecure that security is essentially impossible without scrapping it and starting over.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Wednesday February 15 2017, @01:59PM
You've got to be on all kinds of terrible drugs if you believe computer security is worse now than in the 80's. Sure, there are a lot more hackers and penetrations, but they would have had a hell of a lot easier time in the 80's.
(Score: 4, Informative) by Justin Case on Wednesday February 15 2017, @02:06PM
Hardware was not pwned from the factory in the 80s.
Hardware was not locked against the ostensible owner in the 80s.
Every organization ending in .com or .gov was not obsessed with monitoring you 24/7 in the 80s.
Yeah, it's worse. I'd go so far as to say it is now impossible to build a trusted computing base [wikipedia.org].
In other words, you can no longer trust computers to keep secrets or handle your money. So just stop doing that OK?
(Score: 2, Insightful) by WillR on Wednesday February 15 2017, @02:19PM
(Score: 2) by butthurt on Wednesday February 15 2017, @03:41PM
In a lawsuit, banks claimed that Target was "likely" (quoting from the American Banker story) not PCI compliant. The banks sought damages from both Target and its PCI auditor, Trustwave.
https://www.americanbanker.com/news/banks-sue-security-vendor-trustwave-after-target-data-breach [americanbanker.com]
http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936 [darkreading.com]
(Score: 2) by VLM on Wednesday February 15 2017, @02:37PM
My experience with PCIDSS and ISO9000 of all things, indicate that the small subset of things that work, can operate under PCI/DSS or ISO9000 although a lot of incredible dysfunction can also exist under those two. What does not exist under PCI/CSS or ISO9000 is one level of management telling the other they're doin it wrong and they're fired, its pure paperwork CYA for the management level. It doesn't guarantee operations is doing anything correctly, but it doesn't get in the way of operations. In REALLY toxic working environments, management will in fact get in the way of doin it right, which makes me LOL at companies that brag about how PCI/DDS or ISO9000 really turned them around because they're basically saying they were/are managed by complete morons and the only reason they're still afloat is something along the lines of those moron warning signs "do not stick dick in operating lawnmower". I mean, half of management is below the median... sadly there are people that NEED warning signs like that, or ISO9000, or PCIDSS. They don't guarantee success, but they do block some remarkably dumb forms of failure.
In a evolutionary view, they're bad, because they're keeping valuable capital and labor locked up under people too dumb to intelligently use them. Those places only alive due to PCIDSS or ISO9000 should get sued out of business so more intelligently run companies which don't need the training wheels can use the limited resources. So in that way PCIDSS and ISO9000 pretty much suck.
Actually they're very much like having a union, in that if you don't need the union they're just wasting time and money, and if you do need the union, that workplace must suck ass so GTFO if at all possible in which case you're back to not needing a union. The reason why unions still exist is the old saying about 50% of managers are below median performers and those folks need professional guidance, in the form of an active organized union.
(Score: 2) by WillR on Wednesday February 15 2017, @03:39PM