General discussion

Locked

ADEQUATE PROTECTION?

By FluxIt ·
Many administrators often come up through the ranks learning by hard knocks. Too often these admins do not fully understand their vulnerabilities or even how hackers get into their networks because they are just overwhelmed with other work and do not have time to learn about it. Afterall it is abstract. Moreover, many companies do not adequately allocate funding to protect themselves against threats. Yet companies spend on swipe card systems, locks, alarms, and safes but other than getting a firewall and virus checker for the systems companies do little else.

Can companies cost effectively protect themselves? Are the threats out there real? Are administrators and IT staff trained adequately to handle threats?

What are the threats? Bandwidth consumption, resource starvation, routing\DNS, and port slamming attacks. Also intrusions, Viruses, BOTS, and pilfering amongst others.

If you as an IT guy do not understand even one of these you may be exposing your company unnecessarily.

This conversation is currently closed to new comments.

18 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Relevant Training

by Al Macintyre In reply to ADEQUATE PROTECTION?

I have been in the Midrange Computer Biz for several decades, going back to the age of punched cards, and have always strived to keep current with changing technology as it applied to my work responsibilities. This gets more & more complex all the time.

I think that a company that hires someone to be a computer administrator who has no formal training or experience in the topic is like someone who uses themselves for a lawyer ... asking for real serious trouble.

If you beginning in this area & want to get up to speed, you should subscribe to www.itaa.org's monthly newsletter on security topics, starting with archives first in the series, like computer security 101 ... of course this is very general ... you also need to look into thesecurity administrator duties relevant to the kind of computer hardware software operating system at the place where you work ... every compbination is different.

I have the good fortune to be administrator of a type of computer system that in its 15 year history has NEVER been infected by a computer virus & this counts the approx 1 million companies out there that are using that particular platform.

I was recently in a forum for users of that platform discussing security issues & I foundout that there are other platforms with even higher records on computer security. That sort of corporate buying decision can cut down on the time we have to hassle with this kind of nonsense.

Collapse -

WHAT KIND OF SYSTEM IS THIS?

by FluxIt In reply to Relevant Training

To my knowledge every system out there is vulnerable. Is this a MAC or apple system? UNIX is certainly vulnerable. Novell, OS2, and NT are even Linux is. The only other system systems I can think of are mainframes running MVS or VMS on proprietary protocols. But even those have vulnerabilities.

This is curious to me. The only other option are government machines used in AEGIS combat or something like that.

Collapse -

IBM & Dod standards

by Al Macintyre In reply to WHAT KIND OF SYSTEM IS TH ...

US Department of Defense has various standards but most of the equipment purchased by US government disregard the standards.

IBM AS/400 midrange meets the DOD C2 standard.
IBM 390 mainframe meets a higher DOD standard - I not know which one.
Some Unix machines also meet a higher DoD standard.
I do not know all the particulars - I work on an AS/400 so I am familiar with the C2 concept.

Collapse -

Agree to Disagree

by Al Macintyre In reply to WHAT KIND OF SYSTEM IS TH ...

There are systems that are secure from a vast spectrum of possible assaults. They are not popular in a world of businesses wanting whatever bells & whistles the market offers that is not secure & does not do what it promises to do.

So even if you have one of the secure systems, there is enormous pressure to attach stuff that is not secure, or to breach the security to attach some fancy feature that cannot be installed without sacrificing the enterprise security.

I do not believe you can have a secure micro computer in the business enterprise.

I believe that you can have a secure mini, midrange, mainframe, super computer. However, most of them are not secure, because insecure micros get attached.

There was a test with NT setupaccording to vendor reccommendations ... a named file had Bill Gates private home phone number ... no hacker was able to get it ... most companies do not follow NT security recommendations.

There was a test with OS/400 setup according to vendor reccommendations ... a named file had the credit card account # of the CEO of IBM ... no hacker was able to get to it.

There have been other tests. Tens of thousands of black & white hat hackers participated in these tests. Security experts monitored what they did "I did not know you could do that." The security held but the experts learned from the test & made it even better.

Bottom line. Good security is possible but most enterprises are not interested.

Collapse -

Never any Virus Infection

by Al Macintyre In reply to Relevant Training

There are many reasons why certain types of IBM midrange computer systems have never had any virus infection & this is a hot topic on the discussion groups of technical people who manage those systems.

Note I said NEVER BEEN INFECTED. I did not say IMPOSSIBLE TO INFECT. This is an example of the kind of consequence of businesses not considering security issues when they select what kind of computer platform to run their business.

The cost of protecting platforms that can be infected & are infected on a regular basis, that has got to be an astronomical administrative nightmare & it is all unneccessary if the enterprise first educates itself regarding the pros & cons of the different computer infrastructures.

It is not all one sided, there are down sides to every platform. One has to self-educate on topic then select on basis of pros & cons ... virtually no company actually does this ... rather after a while with hassles of one system they begin to learn about other systems that do not have those hassles ... they have some other hassles.

This topic may belong on a different discussion group, but I suspect there is little interest by TR folks in this other than access to white papers that compare different kinds of platforms, many of which are here, since most of us have to do the best job we can with the platform selected by our employers.

Collapse -

It's all about Risk Management...

by Yamabushi In reply to ADEQUATE PROTECTION?

Any business has risks, and these risks are not confined only to their IT resources and Internet/Mail connection. Businesses need to approach the risks of having an IT infrastructure and an online presence the same way they approach any other business risk: manage it.

This may mean preventing certain risks (policies, firewalls, ACL's etc.), mitigating others (business continuity plans, backups), transferring risk (outsourcing, insurance) and accepting others (in the light thereof that the likelihood of the risk becoming reality is so low, and the cost of preventing it so high that it becomes unfeasible to prevent).

Once a business understands that they need to manage their IT risks just like any other business problem or risk, and they understand just what (and how potentially costly) those risks are, they should have little problem ensuring that the necessary resources are made available for the management strategy they have chosen. It also moves accountability and due diligence issues from the poor sysadmin to the Board of Directors of the company...

Once that is a company's approach to IT security, you should find that security staffing, training and budgets come a lot closer to being 'adequate' than if management expects the poor sysadmin to 'close all conceivable holes' and 'hack-proof the network' willy-nilly.

Ah well... just my 2c...

Collapse -

RISK MGT ONLY PART OF IT

by FluxIt In reply to It's all about Risk Manag ...

Risk mgt is only part of the equation. Most accountants who do the risk mgt do not under the technology and real risk while at the same time the techies who may know a little more about the vulnerabilities know nothing of risk mgt.

Most companies actually view risk mgt as something that corporate 500 companies do. Even medium sized companies view themselves as small business. I experience this myself while contracting with a company of 35 people. I was calculating internal ROI's and conducting risk mgt reviews. The owners looked at me and laughed. One leaned forward and said in a country dialect, 'Son, we're jus' one of 'em mom and pop operations. We ain't no big city business.'

The term firewall and router made them think I was a big spender with thier money. Yet they want all that high speed connectivity and internet stuff because it made to do the business easier. My approach was to tell them that I needed a special modem to hook to the internet at higher speeds and this modem came in two parts (secretly a firewall and router kit from ascend).

In short, operational risk mgt, engineering economic analysis, and other methods are time consuming providing little meaningful information to real business people who are action oriented. They tend to see it as talk or fluff. Just put up a cost effective fix. Its a feeling many will tell you. Usually meaning low cost with a lot of bells.

Collapse -

Duplicity

by Packratt In reply to ADEQUATE PROTECTION?

I agree that in any case it should be the IT professional's responsibility to research security issues and attempt to protect the systems that they are responsible for in the best possible way that their enviroment allows. I know many IT professionals who do not know enough about security or have any inclination to learn. But they may only be partially to blame when there is no incentive to do so.

However, I feel that there is a certain amount of duplicity between the vendors who target non-technical executives with promises of secure software and platforms that don't deliver and the executives themselves who don't place much emphasis on security in IT by words or actions.

In the push to deploy new systems or software security comes as an afterthought when IT staff is busy putting out fires or handling priorities handed down from upper management. I think that attitudes towards security have to change on all levels before much ground is gained.

I've always kept up with security issues on my own ever since running my own BBS many years ago. (seems like centuries now)...

Thanks for bringing up this important topic mrmiami!

Collapse -

Meaningful security obscure

by FluxIt In reply to Duplicity

Several things play into our inability to adequately defend the systems. They include:

Inadequate funding.
Poor understanding of the threats.
Vendors disuising weak solutions with bells and whistles.
misguided focus.

I have discovered that the biggest problem in security is a clear understanding of what to do and how to do it. Vendors tend to miss the mark and provide smoke and mirror solutions to real time monitoring. All too often these solutions monitor the wrong things.

IT people do not know what to monitor and why. Most importantly, monitoring can be very time consuming and many IT staffs simply do not have the time. ie watching for port probes or ICMP packet that peg off the scale.

One of the best approaches should center on alarms for trigger events and early detection of a threat. After the breach knowing what they did is simply senseless. It should never come to a breach.

I have spent extensive time listening to 'experts' who constantly remark it is to difficult and there are too many variables. These are comments of people who simply themselves do not fully understand thier own topic. Its not uncommon. We see this in scientific circles all the time. Until a paradigm shift in thinking is made the sun continues to revolve around the earth.

Collapse -

I agree

by Packratt In reply to Meaningful security obscu ...

I agree with your assesment, there are several things that plague an IT professional's understanding and attitude towards security. I really think that solutions have to be found that will change attitudes on all levels before serious problems arise.

I think that there is a threshold where intrusions will become so common and the cracker community will become so entrenched that organizations will "give up" and state that there is nothing to stop this from happening and then insurance will bethe only solution. (who wants that? except insurance companies and crackers?) I think this threshold may have been reached already, security breaches seem to be handled more by PR departments than IT departments.

I think another problem, that youhinted at, is a foolishly heavy reliance on "fortress" based security as opposed to "active/reactive" based security. The ability to recognize trends that hint at intrusion and methods to counteract those trends is more valuable than getting a box that protects you from intrusions that were used when the box was made. Patching software, "reactive fortressing" is all and good, but is a loosing battle because the flaws always be cracked before they are patched. (software developers also need to have more of a mind towards security as well)

Well, enough of my mumbling, what do you think?

Back to Security Forum
18 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums