Who's going to dig you out of a security hole when the time comes?

Friday 2nd June 2017 16:14 GMT Anonymous Coward

Welcome to overregulation

"Am I alone in thinking that these latter items are what we system and network administrators have been doing for years?"

No, but the main difference (the way I see it) is that you had a healthy dose of common sense. Which is something that seems to be rapidly declining these days. Back in the days you had people who knew what they were doing. New admins would get into a new environment, have the patience to learn how this environment worked and study the whole thing and then (and only then) would come up with ways in which they thought the whole thing could be improved. That's how you can grow and evolve.

These days the mindset is much more self-centered. You know best because you got a paper saying you studied. Therefor when you get into a new environment you know all there is to it and will tell everyone how bad the whole thing is because it didn't meet your expectations. Because obviously you know best.

Cool job winning that paper, but it hasn't taught you shit about how things work in the real world. You know: where people are trying to make money and keep things working in the most optimal way.

Yet I get the impression that it is because of nutjobs like that why people stick to dry regulation these days. At least that way you can somehow control the damage, hold people accountable for screw ups a whole lot easier ("you didn't follow procedure") and also help keep those nutjobs I talked about in line.

Of course you're also hindering that evolve part which I mentioned earlier, but many larger companies couldn't give less about that. Which, in my opinion, is their loss. Because over-regulation (as I tend to call it) can also seriously demotivate.

8 0 Reply
1. Friday 2nd June 2017 22:22 GMT macjules
  
  Re: Welcome to overregulation
  
  100% correct.
  
  "you didn't follow procedure" is the new bleat of the standards-compliance nazi with an MSc in Project Management, an approximate (approximate = 'I know where the site is') 'knowledge of Jira and an uncanny ability to disobey every single law of project management and development.
  
  Said junior PM will happily disregard every single rule of software development (the big one being NEVER EVER launch on a Friday) and order devs to forfeit their required pissup and spend the evening hunting down that single stray space in a mountain of AngularJS code .. you know, the one that returns a gulp error every time.
  
  3 0 Reply
  1. This post has been deleted by its author
Friday 2nd June 2017 22:33 GMT c1ue

IT isn't Information Security

Some security functions can be performed by traditional IT types, but I think it is more than a little presumptuous to say that security is just a function of IT.

IT's job is to connect and enable.

Security's job is to prevent unnecessary connections and disable dangerous capabilities.

But even beyond the core mindset differences, good information security needs to be a lot more aware of the business impacts of systems: interruption, theft, or otherwise.

IT can say we need more capacity for storage, compute, whatever because there are concrete usage measurements and trends - that approach fails miserably when attempted with security since successful security is, by definition, an absence.

Then there's the specific subject matter expertise: are all IT admins expert in network forensics and security? Endpoint forensics and security? Incident response? Malware analysis? Forensic acquisition and chain of custody?

It is quite clear the author believes his capabilities in IT, but it seems far less clear these IT capabilities apply to information security or that said author is credible in dismissing information security skills and needs as mere branches of IT.

1 2 Reply
1. Sunday 4th June 2017 17:11 GMT Doctor Syntax
  
  Re: IT isn't Information Security
  
  "IT's job is to connect and enable.
  
  Security's job is to prevent unnecessary connections and disable dangerous capabilities."
  
  I tend to think of security of the ratio of the ease with which the intended users can connect and be able to use the facilities to the ease of the bad guys to do the same. In other words it's not useful to lock the bad guys out by locking everyone out.
  
  I can't see how this idea can be applied without making security, or at least IT security, part of IT. The security guard in reception is SEP, of course.
  
  0 0 Reply
  1. Friday 16th June 2017 08:13 GMT returnofthemus
    
    Re: IT isn't Information Security
    
    CORRECT!
    
    Information Security is everyones' responsibility
    
    0 0 Reply
Sunday 4th June 2017 06:00 GMT John Smith 19

" skilling up your internal team and obtaining a hand-over "

The mad fool

All PHB know that if you pay to give staff new skills they will leave for a better job.

That's one of the defining characteristics of a PHB.

As opposed to real managers, who understand that in IT change is a fact of life.

1 0 Reply
Sunday 4th June 2017 20:28 GMT Brian Miller

Sleeping guard dogs

You’ll also not have missed that the attackers’ capabilities are far ahead of those of us trying to defend our systems against them.

You know what I've found in a number of installations? The "guard dogs" are fast asleep, and their own computers are filled with so much malware it just isn't funny. They've been spending their days not in diligent work, but hanging around and surfing the web, wherever it may lead. Like porn.

One manufacturer of large earth moving equipment had a network so full of crap, and an IT staff so lame, that they would not allow us to send a computer to them unless it was already running a firewall and virus scanner. Anything that was unprotected in the least would be p0wned within seconds of being plugged into the network.

There's an article about the insecure Hadoop servers making 5PB of data available for all comers. WTF?? Why does noone secure their databases? Are passwords so difficult? Are good firewall rules so confusing?

The attackers are not ahead of us. Flat out, they aren't. Too many installations aren't even practicing any security. There is no training of the staff about what they should do about attachments, and verifying possible phishing information in emails. To many idiots are completely irresponsible about their actions, and they pretend to be the hapless victim. Sorry, no. If there were licenses mandated to operate computers, 90% of the punters out there wouldn't receive one.

2 0 Reply
Monday 5th June 2017 07:54 GMT Anonymous Coward

Who's going to dig you out of a security hole when the time comes?

I'd rather not be in the security hole in the first place. So I avoid all Microsoft products.

0 0 Reply
Monday 5th June 2017 08:11 GMT Anonymous Coward

There was a brilliant comment on The Reg a while back...

There was a brilliant comment on a Reg forum a while back - alas not made by me - that software was essentially finished some years back: we'd got all the functionality we really needed, we'd got the speed, we'd got the reliability. So everything added now has been simply gilding the lily, and software is generally getting worse as a result. I'm definitely seeing this in the Apple ecosystem. The same is happening with Windows, except the peak was never that high.

Added to this: a generation of very experienced developers who started at the beginning of the PC revolution - so they know the history, they know the pitfalls, they remember what it was like to code when efficiency, correctness and cleanliness really mattered - are now retiring, or being forcibly retired to be replaced by cheap off-shore code monkeys. And the code they produce is horrible. Agile methodologies just encourage this approach, penalising time spent on careful thinking, and rewarding the fast developers - who are often fast because they eschew error handing, or good design - by letting them win the delivery race.

Quality is a now thing of the past. Understanding the basics of building a reliable system is seen as pointless knowledge - just download more Javascript libraries, just grab something open source. That'll do.

0 0 Reply
Monday 5th June 2017 13:48 GMT Tom Paine

So if we dig out our copy of the ISO 27001 standard we read stuff like:

Backup copies of information, software and system images shall be taken and tested regularly.

The use of resources shall be monitored, tuned and projections made of future capacity requirements.

I've worked on ISO certs but I don't think I've ever seen the very expensive official documentation. I thought it was completely unprescriptive about what controls are needed, and says that should flow from your risk assessments? That's why I've always preferred NIST SP 800/53 with it's nice long list of controls...

0 0 Reply
Monday 5th June 2017 20:01 GMT DCFusor

Backups that work

Yeah, right. It's been said most never test them, an I believe there's a reason other than just lazy incompetence. Remember, it used to be that even most large systems had scheduled downtime - maybe every night, even (yes, I was a field service guy for mainframes...been there, know that).

So, you want to be the guy who finds out the restore borks the "has to work 100% of the time system" and costs the company X% of their yearly profit - perhaps all of it - while you scramble to make it actually really work right?

With complex dependencies we've recently seen revealed - some of which were introduced without realizing it (dyndns, BA, many DDOS, you name it, we're seeing it's not just "hit reset") - and as the current article in DevOps (believe me, that is NOT my religion) mentions - guy is instantly fired for messing up the corporate DB points out - this is not a low risk for the person who insists on testing backups - used to be merely a groaner if a little extra effort in rebuilding was required. It might now be that the collection of knowledge required no longer exists at the company needing the restore...

Even simpler systems...I have many I just own personally that do my LAN of things - take a long time to build, have a lot of inter-dependencies, and thank heavens storage is so cheap that I can have them simply do a full image overnight once in awhile - pretty sure that's going to handle things.

Even that can take all night on a a raspberry pi system that monitors security video and weather for gardening purposes and has MySQL and NGINX and on and on to do so.

Now scale that to enterprise. Oh, it won't matter with DevOps because it'll never manage to get big, useful, and complex in the first place, it will get people used to "it's down yet again" all the time.

0 0 Reply
Friday 16th June 2017 08:09 GMT returnofthemus

When I was installing resilient pairs of Cisco ASA5510s

PMSL!

No doubt, after drinking the koolaid, not realising that on route to you the first stop-off this pair made was probably an NSA clearing house for the installation of backdoors.

Not only a poor choice of device riddled with bugs, but also contrary to popular belief amongst the Cisco fraternity Information Secuirty has never ended at Layer 3.

0 0 Reply