Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Wednesday February 15 2017, @10:08AM   Printer-friendly
from the because-they're-more-determined dept.

Society is operating under the illusion that governments and corporations are taking rational choices about computer security, but the fact of the matter is that we're drowning under a sea of false positive, bad management, and a false belief in the power of technology to save us.

"The government is very reactive," said Jason Truppi, director of endpoint detection and response at security firm Tanium and a former FBI investigator. "Over time we've learned it wasn't working - just being reactive, not proactive."

Truppi said we need to puncture the belief that government and industry are working together to solve online threats. In reality, he says, the commercial sector and government are working to very different agendas and the result is a hopeless mishmash of confusing loyalties.

On threat intelligence sharing, for example, the government encourages business to share news of vulnerabilities. But the subsequent investigations can be wide-ranging and lead to business' people being charged for unrelated matters. A result companies are increasingly unwilling to share data if it exposes them to wider risks.

The fact of the matter is that companies don't get their own infosec problems and don't care that much. Truppi, who has now moved to the commercial sector, said that companies are still trying to hire good network security people, but bog them down in useless false alerts and management panics.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Thexalon on Wednesday February 15 2017, @02:36PM

    by Thexalon (636) on Wednesday February 15 2017, @02:36PM (#467391)

    I've worked a lot on online billing systems.

    It is completely true that PCI-DSS does not guarantee that your system is secure.

    However, it's also true that *not* following PCI-DSS pretty well guarantees that your system is insecure. I've encountered these kinds of things in the wild, mostly because I tend to get hired after they've been caught with a broken system, and almost invariably I can easily get access to things I shouldn't be able to access. Including things that the companies in question shouldn't even be storing, like CVV2.

    If you go through the PCI-DSS checklist and take it seriously, you will end up with a much more secure system than if you go through the PCI-DSS checklist and try to cut corners. Unfortunately, like everything else in business, the instinct of most business-people is to cut corners.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by Kromagv0 on Wednesday February 15 2017, @03:08PM

    by Kromagv0 (1825) on Wednesday February 15 2017, @03:08PM (#467401) Homepage

    I just take issue with PCI DSS because I find it to be pretty lax but then I end up having to deal with the NERC CIP standards which go well beyond PCI DSS. I view PCI DSS as basically being the bare minimum that one should do and wouldn't mind if companies that don't at least adhere to it be held criminally negligent when a hack occurs. Also PCI DSS seems to have been written by people in management and accounting and seems geared to that mindset. I also take issue with NERC CIP for much the same reason as I find it doesn't go far enough but there is a lot of inertia to keep doing things the way they have been done in the past. So I keep pushing and gradually things changes even if not as fast as I would like. Also having worked with NERC CIP auditors I have been trying to influence them towards the more strict interpretations.

    --
    T-Shirts and bumper stickers [zazzle.com] to offend someone