Jump to content

Political Discussion Thread (With Rules)


Simon
 Share

Recommended Posts

17 minutes ago, TrickstaPriest said:

Unrelated but shared here because.

 

We have found it.  The worst cybersecurity take.  Here's thinking of you, Dan Simon

 

https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches

 

I'd like to demonstrate the mentality of the target audience of that article so you can see exactly why it was written and why The Hill chose it to be good enough to publish.

 

This is a real exchange in the comments of the article.

 

 

Me: Doing the "holistic view" thing is highly needed. If you can't trust your IT guy to have access to your system, you aren't doing a good job of hiring IT guys. And they need to look at the system whenever and wherever they think there might be a need to.

 

On the other hand, blackballing someone from ever working again in the entire industry because they happened to work at a place which had a security breach is beyond stupid. The person you're interviewing likely wasn't in charge of implementing policy at his business. That's like refusing to ever hire a Volkswagen mechanic because the Volkswagen company for years covered up how much their diesel engines polluted. (The mechanic didn't set company policy, didn't participate in the coverup, and almost certainly had no idea that anything inappropriate was happening because there was no way for him to access that kind of information.)

 

Joe: Why on earth would you hire someone who already destroyed security somewhere else? This is a good suggestion.

 

Me: That "someone" will generally be working with a dozen or dozens of other people.

If they pin a security breech to George, don't hire George.

 

But if George is doing everything humanly possible at his task but someone else fails at their task, don't punish George for it.

 

Take this pipeline thing. Okay there's a breech. You fire all the people and they lose all hope of ever working at anything to do with computers ever again.

 

You hire a whole new staff.

 

There's another breech so you fire all of those people.

 

Who the hell is going to be willing to work for you regardless of what you offer to pay them? People who are so bad that they absolutely can't get a job anywhere else? People who are so desperate for money that they'll do anything (yeah, that's a good person to put in charge of your sensitive data). And geezers who are so close to retirement that if they lose all hope of ever working in the industry again, that it makes no difference (and good luck if they're at the top of their game rather than hopelessly out of date).

 

The pipeline HAS TO WORK. But you're guaranteeing that it's going to fail because they can't hire good people to work for them because working for the pipeline is a sure career killer.

Now let's look at the long-term effects.

 

Why would you go to college and study to get into that field when the first mistake by any of your co-workers will make you permanently unemployable? The answer is: you wouldn't.

 

People who were talented would avoid getting into that field because they could do literally anything else and have a better chance at a career. So the pool of people who would be willing to do that kind of work would keep shrinking from few new people wanting to get into it and from anyone with any sense trying to get out of it and do anything else before they get blackballed.

 

That's EXACTLY what you DON'T want to happen.

 

You need the best and brightest to be eager to get into the field rather than setting up the field to be so hostile that they want to avoid it at all costs.

 

Joe: Who cares about their schooling? If this profession is causing the problems why would you want to hire them anyway? Even if they have not caused a breach, they are a den of idiots. Why not go with engineers who know how to lock down systems?

Link to comment
Share on other sites

21 minutes ago, TrickstaPriest said:

Unrelated but shared here because.

 

We have found it.  The worst cybersecurity take.  Here's thinking of you, Dan Simon

 

https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches

 

As a career IT architect and current cybersecurity analyst, that is definitely a pretty bad take.  It's hard to know where to begin, but suffice to say that cybersecurity "best practices" 1. rarely go far enough and 2. are usually sabotaged by senior bureaucrats through underfunding and lack of support.

 

As an example of 2., consider that my last supervisor directly asked that I falsely attest to our organization's PCI compliance status.  Hence, the new job.

 

 

Link to comment
Share on other sites

1 minute ago, archer said:

Doing the "holistic view" thing is highly needed. If you can't trust your IT guy to have access to your system, you aren't doing a good job of hiring IT guys. And they need to look at the system whenever and wherever they think there might be a need to.

 

So... yes, but at the same time, it is not good security to give any one person full access to all systems.  IT security does need to be able to see everything that's happening, but should not have access to make changes.  Conversely superusers should rarely have access to all things.  Role based access control has been a best practice for decades, and the industry is now moving toward zero trust.

 

Again making an example of my last organization, my predecessor there was removed when it was found that she'd lied on her resume (among other things).  Then she went home, logged in remotely as domain admin, and started deleting files, accounts, and logs.  It was a really exciting first couple of weeks there, I learned a lot about their backups.

Link to comment
Share on other sites

44 minutes ago, Old Man said:

So... yes, but at the same time, it is not good security to give any one person full access to all systems.  IT security does need to be able to see everything that's happening, but should not have access to make changes.  Conversely superusers should rarely have access to all things.  Role based access control has been a best practice for decades, and the industry is now moving toward zero trust.

 

Blaming the "best practices" for security breaches is nuts.

 

As far as the commenter goes

55 minutes ago, archer said:

Joe: Who cares about their schooling? If this profession is causing the problems why would you want to hire them anyway? Even if they have not caused a breach, they are a den of idiots. Why not go with engineers who know how to lock down systems?

 

I totally agree with (:edited) what you are saying.  The article's definitely been written for people who clearly don't have a clue. 

 

(edited out, just irrelevant)

 

I know someone in Software Dev who had the same opinion - punish software devs for software dev failures.  Sue them, etc.

 

Sometimes you -can- blame a single person for a failure.  And those people might actually get blackballed.  But the attitude they are creating here is to blame people for failures they likely won't have control over.  It's very different from, let's say, a medical malpractice incident. 

 

Not unless you happen to have multiple teams of doctors and nurses administrating your needs at once and working in an interconnected environ...

 

I do wonder if this is part of a push to devalue the industry, like how much of Silicon Valley conspired to pay programmers worse.

Link to comment
Share on other sites

I think that the article shows a lack of understanding of the breadth of the security field, focusing only on auditors.  Auditors monitor/check to ensure compliance with security policy.  Security policy is based on best practices and is intended to protect an organization from the human factor -- legitimate users who are compromised.  This is an important (and very difficult) area to protect....but is far from the whole of security.

 

Auditors do not (and are generally not qualified to) check for vulnerabilities within the systems that their security policies are looking to protect.  Again, their security policies look to protect from the human factor -- George down in finance browses to the wrong site (or clicks the wrong link, etc.) on a corporate system....that kind of thing.

 

Hackers (ethical or otherwise) look for and exploit vulnerabilities both at the software/hardware level and the wetware level -- whatever is going to get the access that they are looking for.  Security policies will help to keep the legitimate users of a given system from unintentionally providing that access, but that's an extremely tall order and not even half of the battle.  An organization needs to know (and fix or at least isolate) the vulnerabilities at a software and hardware level in their systems...and for many, that's a very expensive and invasive proposition. Companies like Colonial Pipeline have systems that were designed a LONG time ago, generally jerry rigged into providing networked/internet access.  Security policies that are properly designed and implemented can help to limit the extent of a given breach, but don't really address the underlying vulnerabilities that may have lead to the breach in the first place. This doesn't devalue them, it just means that they're only part of the solution.

Link to comment
Share on other sites

Of course he is.

 

St. Louis lawyer who waved rifle at protesters running for Senate in Missouri

 

Here's a brief look at his 'platform':

Quote

 

An angry mob marched to destroy my home and kill my family, I took a stand to defend them.

I am a proven fighter against the mob

When the mob comes to destroy our home, our state, our nation— I’ll defend it

I will NEVER BACK DOWN

 

 

Link to comment
Share on other sites

6 hours ago, Dr. MID-Nite said:

When I feel that I myself...with no background in politics...can do a better job than the majority of the people running a country....there's a problem.

 

Then perhaps you should run for office yourself.

Link to comment
Share on other sites

4 hours ago, Dr. MID-Nite said:

 

That's kind of the point I'm trying to make. I'm not really qualified to do that kind of work, but the people we have actually doing it our even worse.


That might be because the actual “qualifications” are the ability to raise money and win a popularity contest. 

Link to comment
Share on other sites

3 hours ago, unclevlad said:

And we've done nothing since except allow them to do whatever the hell they want.....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...