Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday February 15 2017, @10:08AM   Printer-friendly
from the because-they're-more-determined dept.

Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we're drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.

"The government is very reactive," said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. "Over time we've learned it wasn't working - just being reactive, not proactive."

Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.

On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business' people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.

The fact of the matter is that companies don't get their own infosec problems and don't care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by Arik on Wednesday February 15 2017, @01:57PM

    by Arik (4543) on Wednesday February 15 2017, @01:57PM (#467378) Journal
    It's number 2. PCI compliance is a minimum checklist sort of a thing, the main purpose is to shield you from liability when you get pwned, not to prevent the pwning.

    Computer security was awful when I started in the 80s but it's just gotten even more awful every year. At this point so much of our basic infrastructure is so fundamentally insecure that security is essentially impossible without scrapping it and starting over.

    --
    If laughter is the best medicine, who are the best doctors?
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday February 15 2017, @01:59PM

    by Anonymous Coward on Wednesday February 15 2017, @01:59PM (#467379)

    You've got to be on all kinds of terrible drugs if you believe computer security is worse now than in the 80's. Sure, there are a lot more hackers and penetrations, but they would have had a hell of a lot easier time in the 80's.

    • (Score: 4, Informative) by Justin Case on Wednesday February 15 2017, @02:06PM

      by Justin Case (4239) on Wednesday February 15 2017, @02:06PM (#467382) Journal

      Hardware was not pwned from the factory in the 80s.

      Hardware was not locked against the ostensible owner in the 80s.

      Every organization ending in .com or .gov was not obsessed with monitoring you 24/7 in the 80s.

      Yeah, it's worse. I'd go so far as to say it is now impossible to build a trusted computing base [wikipedia.org].

      In other words, you can no longer trust computers to keep secrets or handle your money. So just stop doing that OK?

    • (Score: 2, Insightful) by WillR on Wednesday February 15 2017, @02:19PM

      by WillR (2012) on Wednesday February 15 2017, @02:19PM (#467384)
      Security was worse, but less important stuff was networked in the 80s. They wouldn't have gotten millions of credit card numbers hacking Target in the era of mechanical "ka-chunk ka-chunk" credit card machines.
  • (Score: 2) by butthurt on Wednesday February 15 2017, @03:41PM

    by butthurt (6141) on Wednesday February 15 2017, @03:41PM (#467415) Journal

    In a lawsuit, banks claimed that Target was "likely" (quoting from the American Banker story) not PCI compliant. The banks sought damages from both Target and its PCI auditor, Trustwave.

    https://www.americanbanker.com/news/banks-sue-security-vendor-trustwave-after-target-data-breach [americanbanker.com]
    http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936 [darkreading.com]