Posts by chuckrman

"Security Teams can never be the team of no."

I understand your sentiment, but that is really not applicable. Or rather, it should not be applicable.

To directly address the your email as userID comment; we need to get past userID/password as a login method on its own. Time and again this has proven to be something fairly easy to compromise. MFA is the way to go. Getting a userID is typically fairly trivial because we need it to be something the user can recall. userID is not really the state secret we pretend it to be.

Security teams really should not be the team of no. It should be the team of "this is how we can do this securely" when asked to implement something. We need to focus on turning it around so that it a) meets the business need, b) is practical, c) is scaleable. There may be more that others may want to add to this list, but it is a good start.

In general, security is a supporting organization (some exceptions for if security is your line of business and etc). In security we need to remember this. And we need to remind our customers/business owners as well. We are performing these tasks in the interest of supporting your business and lowering the risks to your business. This is of course easier said then done, but it is very important to not get lost in the battles so much as to lose the objective.

At the end of the day the customer/business owner makes the decision. I won't sign off on anything I can't stand behind. However, I can't stop the customer/business owner from ignoring me at their own peril. It may, of course, be the signal to freshen up the resume/CV.

Re: Compatibility always drags these types of projects on and drags out the time requirements

This may very well be a lack of knowledge on my part. Let me try clarifying what I was intending to communicate. In terms of changing so large a system that has to be used by all aircraft (effectively worldwide), you need to have a baseline standard that works with all systems. I assume there is always an analogue method for emergencies that will always be handled a standard way regardless of the airport's actual capabilities.

So when guided landing was brought into play, the airport that first implemented it could not stop using the old method of landing planes until all planes could use that new system. And each time we add a new capability the airport, the system(s) needs to continue to support the older standard in addition to the new. This may be done by running parallel systems or by introducing something to an existing system (additional cost and complexity = time). At a certain point the old drops off as it is no longer in use but by the time this happens something more modern is coming online. This cycle will continue until the end of time (or at least as long as we have air travel).

My point was that there are logistics behind this and due to a variety of factors which vary from airport to airport this may very well mean generational gaps where one airport is N-3 and another airport is N (N equals current generation). I mentioned airplanes because airlines have to be able to keep up with N and given the time lapses between maintenance cycles I suspect that the only way to do it would be to update over the air (physical time limitation). From a safety standpoint I could not see over the air being practical. So slowing down the change to allow the entire chain to update would be required. This is not likely to be something that is a known variable to plan for but might be estimated (high risk to overrun schedule).

This is pretty universal against all major systems when change occurs. A sufficiently large enough system will need to stagger updates requiring the updated system to be able to operate at the lower standard while it waits for the rest of the chain to catch up or run two systems in parallel. Something that an airport may not be funded to do in either case (Hence N-3 I mentioned above)

<- IT guy but not in the airline/air travel industry

Re: Just when I thought about upgrading...

Part of the problem is the cross sharing of IP with Intel and AMD. x86 is Intel IP and x64 is AMD. So often times because the basic architecture is the same x64 on x86 you will see similar holes in both manufacturers (there are nuances that separate them). The only way this really changes is if we can come up with a new standard away from x86/x64. However that means backwards compatibility and no one wants to kick that hornets nest for fear of sales loss (my opinion).

Re: As a young broadcast engineer, unschooled in IT at the time

Agreed. A lot of what we take for granted as part and parcel of operations had to be learned from mistakes. Institutional knowledge is a thing which is why I think companies/governments/etc. are struggling right now with all the outsourcing. No matter how much documentation you provide me when I come on board, I can't digest it all and be the perfect employee day one. In the mean time you have a gap that the position I was hired for was intended to fill. Throw in the tight budgets reducing or eliminating redundancy of staff capabilities and you are treading a fine line of failure and success.

Risk management was not taken as seriously say 20 years ago as it is now. and I am sure this was an incident that caused change (as was related at the bottom of the article). Was the change perfect? Not likely but you have to start somewhere and re-architecting a tried and true process is NOT something done over night. And may be deemed too risky versus improvements to the existing process.

Re: Beautiful

I agree completely. IT is here to support the business and is not the business itself (unless IT services is your business). Now given the limitations of the technology at hand I can understand that sometimes you have to rely on the user doing "the right thing" but, in general, I would have measured this as a risk and would have looked for a compensating control. Perhaps a script that was run once a day to copy the contents of the "My Documents" directory to the mapped home drive as these should be known variables. As someone earlier in the comments mentioned OneDrive, a nice aspect of this service in locations with the appropriate enterprise agreements and infrastructure you can use GPO's and have directories directly replicated up to the OneDrive as appropriate. While we can't hold the end user as having no responsibilities, we should be looking at common risks and trying to address them as commensurate with the value of the loss.

Re: Some weird comments on here...

Some of the pride may be a result of for whom and why. I have pulled 100+ hour work weeks I am very not much proud of because it was just a band aid over a problem and I just burned out. Other times I have pulled those weeks because there was a legitimate concern or event that no one had thought of and the risk of failure was high. It is those days that I take pride in being part of team that really brought things together under extreme circumstances. The former was often due to lack of staff, sudden departures of poorly treated staff, or just really bad planning. The others had to due with what fall under the "acts of God" sort of thing, On those cases we had follow-ups and lessons learned which prepared us for next time.

Re: Hugh Laurie ?

I rather like him as a choice.