Feeling bad about your last security audit? Check out what just happened to the US Department of Interior The US Department of the Interior (DoI) spectacularly failed its latest computer security assessment, mostly for a lack of Wi-Fi defenses. This is according to a report [PDF] from the department's inspector general (via NextGov) which found that, among other failings, the DoI internal wireless network could be broken into over …
I doubt you would be shot unless "this part of the USA" is a prison, in which case, how are you able to tell us about it...
It also may help in those terms if you are not brown, and not bearded.
They used it in public visitor space at offices, so bags might be not searched, it's not Apple that we are talking about (Apple premises qualify... but I already mentioned prisons). If bags are searched... there are such things as steel toe capped work boots. So if no one notices and cares that your footwear has a USB-C port, you get a clear run at it. A clumpy, clattery run, I admit.
Our government IT security is as bad as yours across the pond. This is in large part due to the fact that our IT has been outsourced (just like yours and often to the same companies). If they have an independent security function, that has been outsourced too (also often to the same companies). Management doesn't want employees.
Absolutely. As long as IT and more especially Cybersecurity will be seen as a cost rather than a investment, as long as the decision over IT budget will lies in the hand of accountants willing to maximise short term profit, then this kind of situation will continue.
"The Capitalists will sell us the rope with which we will hang them" could be also hackers' motto.
If its outsourced and the contract doesn't contain provision for Security, guess what... you aint getting it.
If it doesn't contain Security Advisory service, you aint even getting that.
When you take your car to the garage for a new fan belt, do they change the exhaust too free of charge without asking you?
Its easy to try and blame "outsource" as the problem, but they only do what you tell them to do and what you pay for.
The fault lies entirely on the customer not specifically trying to deal with security by putting in place the instructions AND MONEY for doing it.
No outsource contract I've ever seen contains the blanket statement "just do all of my IT sh1t, you have a free hand to do what you see fit, send me the bill for whatever"
Quite so. Outsourcing anything requires the direct employment of enough people who are expert in a subject so that the specifications are adequate.
The beancounters tend to think, 'If we are outsourcing this, why do we need any experts of our own?'
I have seen this happen too many times, incomplete specs and no one who can be held directly to blame.
Exactly - the customers which make the outsourcers bleed are the ones with a sizeable retained IT department who's job it is to issue instructions and manage the supplier with tight control.
The ones where stuff goes wrong and they get their trousers pulled down are where retained IT is too small.... usually where its just one or two "senior managers".
I speak of this having been working in outsourcing for a few decades.... we have "problem customers" and those are the ones which hold our feet to the fire.... those are the ones seeing the actual benefit of outsourcing, the rest....
There are quite a few of "the rest", in fact mainly "the rest".
"When you take your car to the garage for a new fan belt, do they change the exhaust too free of charge without asking you?"
No, but they'll usually, for free, cast an eye over the rest of the car and tell if they think other work needs doing. Reputable ones will even be mostly honest about it too.
Can't blame outsourcing. The U.S Government hasn't been able to secure it's networks or PCs since the Reagan Administration. The movie WarGames got President Reagan asking if that was realistic, after some investigating found it was. Starting years of struggle to secure Government systems. Long before outsourcing the Military, IRS, White House, Pentagon, DOJ...etc haven't been able to keep their systems patched or secured. Teenagers have hacked into Defense department systems. Read: Dark Territory by Fred Kaplan
"For example, that department sometimes does controlled fires as part of their forest fire control strategy"
Surely not! The esteemed President Trump has quite clearly stated that the forest fires are caused by the States not looking after their 3% of forest. It's nothing whatsoever to do with the 50% or so the Feds are charged with looking after or the privately owned forest land run for profit by businessmen like President Trump and properly and safely managed.
I remember once doing a follow up security review of a customer 2 (two) years after a colleague had done one. Half the people I interviewed said that there had been a review before and nothing had been done. So when I came to write up my report it was no surprise that not only were the faults described by my colleague two years previously all still there, they had managed to add some new ones.
(As Major Bloodknock* might say "Well, there's progress for you".
*The Goon Show, BBC Radio: "King Solomon's Mines".)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
