Show it works
355 posts • joined 29 Nov 2011
The issue is that vendors don't really do much in the way of securing code or coding securely. Is it the fault of the devs? Perhaps but certainly the vendor should be ensuring devs get the correct guidance. On the flip side are customers who will take any s/w willy nilly with no concept of acceptance testing and indeed the security posture of the software is absolutely part of that acceptance.
First you audit the software before implementing it. Not only what resources it requires but also how it 'does' security. So in terms of authentication ....network layer authentication to be the way to go coupled with MFA. Of course if your MFA is compromised then your on a hiding to nowhere.
No multi factor authentication? Pretty standard these days and if your system does not support these kinds of authentication you need to ask yourself how secure is this.
Normally I would add the beer icon and make a quip. However it's about 07:30 and I refuse to let the lockdown turn me into a booze hound.
RNLI...from its foundation to now is just incredible. The people who do the job are even more incredible. I hear some of them say that the day job is what lets them be able to do the rescue.
I'm not a seafarer by stretch but I do go to the beach often and when I do and there is a RNLI station I tend to slip them a twenty.
It isn't the heroics that makes me do that but rather the dedication they have that enables them to do the heroics.
Don't laugh. No really.
Just joined a win 10 rds shop. Not used Win10 nor Server 2019 in anger. Previously I would use the various baseline/security tools to find the patch levels pre Win10. So I searched for a MS tool for these later OS versions. Nada. Nowt. Bollocks all.
Besides one person making a droll comment about Nessus is there a tool out there that provides this? Am I barking up the wrong tree? In fact am I losing my mind?!
Yes yes Linux...and mostly probably agree but MS shop.
A (web based) pint to all who help!
Most likely short lived as you can't really improve a turd but I for one, who first encountered this lot in the late 80's...good riddance.
I have often said to those moaning about Microsoft that they are lucky the did not have to deal with KCOM and I am not a huge MS fan by any stretch.
Beer coz I do feel for the worker drones under the thumb of horrible management.
It will be interesting to see how one can audit against GDPR requirements...
I recall having a robust discussion about why we (the company I worked for) need to be careful about transitioning our accounts package into the cloud. Partly about the risks of multi-tenanted environments and certainly about access controls to our data.
Sadly (for them as it turned out) costs efficiencies won the day (short term). In a strange twist it was an outage issue that did for them.
Oh and by the way ds6 you'll find that that dial home feature? Not a default. You needed to actively opt into the scheme.
Ghostry were and always have been quite open and transparent so not really sure why you got your nickers in a twist. I mean you clearly didn't even read the article you posted! lol
Probably though not the best policy for...
We are not talking about family pictures or drawings by ones kids. We are talking specifically about information that is considered sensitive.
So when you don't need it you lock it away. It is not difficult or complicated. Of course if you approach this like a bull in a china shop you will put peoples backs up. Much like any project that involves people...get the interaction wrong and you will have an uphill struggle. Basic management 101 (or should be). You are right in that regard. I find most reasonable people understand the reasoning if explained properly...not to viewed as a punishment but rather a best practice.
Best practice??? By whose definition?
Pretty much every infosec pro I've spoken to or worked with. On top of that we also consider passworded screen savers a best practice.
New regulatory issues also drive the adoption of these policies, the newest being GDPR. Of course GDPR does not stipulate clear desk policies but as a security manager one would consider a clear desk policy as a mechanism to reduce the risk of data breaches.
Thing is that you cannot look at this as just a password policy. There are other security aspects that also impact on usage.
I see a lot of people say that post it's are vital to remembering a password. Well as we know that is also a risk. We mitigate that risk by using clear desk policies as a best practice.
Of course in and if itself will not solve the issue of bad passwords. There are plenty of other policies to deal with that. As already mentioned...monthly scans to blacklisting.
LDS - That's why true entrepreneurs show up unexpected and look at how things really work.
I wonder. I suspect you are right that many CEO's have a bit of a delusion going on when it comes to visits. Some not so much.
I used to work in a tech support centre for US based storage appliance company a few years, ok a lot of years back. Our CEO was coming to visit the place (not only the support centre but also euro HQ). I was (don't hate me!) a tech support manager there and was working to the of shift with the guys and we started talking about the CEO and the visit. On of the team said the CEO would never come up to the centre to see them hard at work as the clock headed towards 7pm. The company made a big thing of being a team etc so thought bugger it.
I went down to the reception area where the great and mighty had congregated and was lucky enough to catch the CEO sort of by himself at the buffet. Now not really having much truck with this kind of thing I asked him if he'd like to visit the tech centre. He readily agreed and I must say the look on the faces of the people in reception as I ascended like some tech support god (ok ok...maybe not but I enjoyed the look of horror/shock on my local compatriots assorted EVPs, SVPs and senior leadership very much). I engaged in some small talk on the way up, mainly about my team.
So we reach our floor and I introduce the CEO to the team. Who then went around to each of my engineers shook hands and spent a good twenty minutes chatting with the guys. He then went around the rest of the centre and met the other teams also working late shift.
Frankly if you cannot approach execs then there is a major problem.
If our powers that be really gave a figs ear regarding the education of our nation we would not be having this discussion.
Grammar schools are not effective if you want to have a real open and democratic country (the number of MP's who went to comprehensive schools stood at 51% in 2017 - https://www.channel4.com/news/factcheck/factcheck-qa-how-posh-is-parliament).
The issue is actually quite simple to resolve. Problem is that it costs money and of course spending money on investing in the strategic future of the country is clearly socialist and utterly barmy magic money tree.
Kids are kids and have friends throughout their childhood. So why break those relationships up when instead those who need coaching get the required amount and those who are brighter or have specific educational needs or challenges get the support they need from their teachers but...shock horror their own friends! Imagine that!
Another huge error was made when idiots decided that renaming polytechnics to universities would be a good idea coz now we can offer degree courses in fucking golf fucking course fucking design.
So part of the spec is 'data' and increasing the availability of data.
Talk about an open check! Clearly the idea is to allow Emergency Services more data in tactical situations. So we not only have the issue of high availability/high coverage data services but also issues around data management as well as device management.
I'm not a sales guy but even I salivate at the idea of such a project and the, shall we say - generous billing opportunities.
Of course Emergency Services have exemptions and the like in terms of legislation but that does not mean they are completely exempt from things like privacy rights covered by GDPR. So in the natural way of things the use of data will absolutely grow as will data breaches.
Still its good to know that the powers that be have already considered all these and even further issues for this roll out.
Biting the hand that feeds IT © 1998–2020