SoylentNews is people
SoylentNews
Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we're drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.
"The government is very reactive," said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. "Over time we've learned it wasn't working - just being reactive, not proactive."
Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.
On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business' people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.
The fact of the matter is that companies don't get their own infosec problems and don't care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.
-- submitted from IRC
(Score: 2, Interesting) by cpghost on Wednesday February 15 2017, @01:07PM
As someone working in IT security, all I can say is that it ultimately boils down to the Man's mistakes and general greed, i.e. bean counters trying to save money when it comes to securing IT infrastructure and putting in sane security procedures and protocols in the organization. Because, hey, security comes at a price: it costs money, time, dedication, and you need to train all your personnel (IT and others) regularly in the procedures they need to apply. It's not just a one-time investment, and then all is well for the next 5 to 15 years. Oh no! The threat model evolves, people come and go, and technology is being replaced (or not!) at a rate that doesn't keep up with the hackers' skills out there. Interestingly though, hackers' skills have dropped in recent years too: Even though they have more potent tools at hand, they seem less sharp witted than they used to be some 10 years ago. But when they are, i.e. when you are up against a (foreign or domestic) Government-sponsored adversary, you better be very well prepared. So, we'll see...
Cordula's Web. http://www.cordula.ws/
(Score: 0) by Anonymous Coward on Wednesday February 15 2017, @02:51PM
I would add though that it also comes down to fundamental equipment and protocol design. The first generations of computers, from an abacus to the Enigma machines (and, ironically, the computers designed to break them,) never had designed security as the primary design function. (Yes, even Enigma - which was often cracked because the system was designed in a way that let the code setting officers *be* lazy and rely on the same steckers, simple wheel settings, and other easy-to-make operational errors. Including redundant transmission by broken systems which led to cracking that day's enigma traffic.) Many of the protocols we rely upon (email, SMS,) were never thought of as needing encryption, so encryption when it exists is bolted on rather than baked in. Computers are insecure by deisgn.
If we wanted security first and foremost in computing operations, we could achieve it. It would not be as difficult or expensive as people think. But it would be *inconvenient.* And that is the watchword that kills the whole thing. Who wants security at the cost of adding an extra minute before you see your text? What business relying on ad revenue will funnel *all* ad traffic first to their server then pass it to the end requestor when it is easy to cross-site script?
Thus, it would rely upon the architects of such a system to make it mandatory. And then hope it can compete, but for the most part the only people who would be interested in the additional burdens are those who have been burned by the fire already. It's far easier and economical to take the hits and continue with a half-assed approach.
(Score: 2) by HiThere on Wednesday February 15 2017, @08:13PM
I think that when you say the hacker's skills have dropped, you are making a false assessment. It's easier for poorly skilled hackers to make an attack, so the base of the population has broadened (i.e., weaker skills), but the skills of those at the top levels are probably higher...they just don't seek attention as they used to. In the early days they often almost advertised who they were (though does anyone know who wrote the cookie monster?). The level of humor has dropped considerably as the profitability has increased.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by sjames on Wednesday February 15 2017, @08:50PM
I'm not so sure the hacker's skills have dropped so much as their objectives have changed. There are still those few there have always been who do it for the challenge and don't stip until they figure it out. Their numbers are now swamped by those who are looking for quick financial gain and so will quickly pass over a network that shows any significant resistance because they know there's plenty more that will be easier. For them it's not about beating the challenge, it's a numbers game where there's too much low hanging fruit out there for them to make a concerted effort worthwhile.