General discussion


Don't cut corners with security

By debate ·
Do you agree with Jonathan Yarden that you get what you pay for when it comes to security? Do you think your organization spends adequate money on security? Share your comments about allocating appropriate funds to protect your network, as discussed in the April 5 Internet Security Focus e-newsletter.

If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Re:Don't cut corners with security

by dpvsrinivas In reply to Don't cut corners with se ...

That is right. Installing firewall and other security systems is not enough. The Major requirement to setup security is understanding the most important requirements, Design policies and procedures based on that and then think of tools like firewall, NIDS etc.., Also providing the security policy for tools should be the most important activity. Compromizing on security requirements creates worse situations.

Collapse -

Yes but more importantly ...

by SandyM In reply to Re:Don't cut corners with ...

Everything said about the technical side of this problem is correct BUT it's the people side that's caused the problems here.

Bad or no configuration of firewall - people problem.

Inappropriate kit on the network - people.

Failure to emphasise to senior management how important a PSU is - people.

If you're not in charge of your network, or if senior management won't let you be in charge of your network - you might as well get another job because you can't win and any problems will be definitely dumped at your door!

Of course shortage of money is an issue, but it takes YOU, the sysadmin, to lay it on the line to maangement the consequences of NOT spending money, and more importantly to do your job to the best of your ability within the budget.

There are things here that could and should have been done that don't need money!

Collapse -

Sorry but I have to disagree with you here

by HAL 9000 Moderator In reply to Yes but more importantly ...

At least on the money and costs involved.

Unfortunately there are many Upper Management who think that any loss of productive time in installing patches AV product updates or whatever is a unwarranted waste of time and money as it prevents the end users from working even if only for a few minutes a month and they are happy to see the whole system fall down every two hours and need rebooting without complaint.

Or at least not complaining enough to allow the proper systems to be followed if they where ever put in place at all. Most of the Upper Management seem to think it is acceptable to have a server fail every so often and throw the network into chaos but are unwilling to allow the very same server to be rebooted after a patch is applied as it then costs them money in lost production.

If the System Admin is worth their salt they are either driven to suicidal tendencies or leave the company and it is then that the finger pointing starts as the person who left must have created the problem after all have you even seen a person from Upper Management take responsibility for a problem that they created when they can pass the buck to an underling?

Granted in the case described it was the worst possible scenario but I've walked into situations that would have gotten that bad if allowed to continue any longer unchecked. The worst one was where a Government Department had one of the staff double as the resident IT guy because he had a computer at home and knew more than the supervisor about computers so he was considered as the resident "Expert" and every decision about the network was left to him to decide what was required. Needless to say while he may have known how to run a "home Computer" he had next to no idea on networks or their special requirements not to mention that when several of the computers where being disposed of he insisted that just reinstalling the OS would render them protected from DATA theft.

While that particular incident was quite a few years ago I still remember it clearly as I lost a lot of money in that particular action and then was forced into the witness box and treated as a "Hostile Witness" by the Governments Departments Legal People but that didn't stop them from calling me in as their "Expert" wittiness several months latter when the person who had recovered the data was standing trial. It never ceases to amaze me just how they can expect to treat you like dirt and then expect you to do their job for them when they want it. Talk about having your cake and eating it to but that seems to be the way things work out in a lot of places.

Now granted I haven't seen things as bad as that since but I no longer do any Government work either and a friend of mine who works for this same department keeps telling me horror stories of what is going on in there. Like a Color HP Laser Printer being thrown down a flight of stairs and then being repaired even though the cost for the repair was far in excess of the replacement value. It seems that while they had exhausted their budget for new items they had the money to have existing units repaired so the printer was repaired rather then being replaced as they had well in excess of $20,000.00 of consumables for that printer.


Collapse -

Defiantly on the money

by robin_the_evil In reply to Yes but more importantly ...

I think he?s defiantly on the money. I?ve witnessed similar problems in the past, but not to that extent. Laying out the necessary funds from the word go can save a business time and money in the long run. However, the funds must be made available for the proper training of staff as well. With out that all the appropriate hardware in the world won?t make a difference if it can?t be maintained.

Collapse -

Security Need not be Expensive

by Dave Howe In reply to Don't cut corners with se ...

While no free firewall currently matches the Fw-1 offering, the same cannot be said of many other fields. There are free AV scanners, trojan scanners, VPN (ipsec and ssl), IDS, audit tools - the list of free or near-free solutions is almost endless, and should be part of any network administrator's initial toolkit (with "upgrades" to commercial packages an option, but not necessarily a good idea)

Collapse -

Don't cut corner with security

by pohbearcynthia In reply to Don't cut corners with se ...

Excellent article. you discribe our network. The first thing that management do is to undermine the importance of running a good IT Department. The first thing that goes is the Budget, Second personnel.


Collapse -

You get what you pay for

by Grizlybare In reply to Don't cut corners with se ...

Getting what you pay for not only applies to products but especially to personnel. A properly trained workforce is like a well oiled machine.
Everyone(parts) knows it's job and does it. Remove a bolt(an employee) here and another there, weakens the process. Each employee
removed and not replaced places more strain on the rest of the people(machine). I know there are some people(parts) that can safely be
removed, IE.. like the people in the office that design forms to be filled out on information already obtained on the previous form they designed,
I think it's called "Job Justification", or that neat little spoiler on the back, for around $1000.00, making the car look really great, but has no real function, are they really
necessary? No. Everything taken away from the bottom line decreases the companys stability and profitability.

And my favorite people ...the ones that would ..."Rather than seek solutions to the problems, want to point fingers, and want heads to roll".
These are the true destroyers of companies. Instead of seeking a solution to the problem they are the problem, trying to protect their own title, position, face, etc.
When you have people with this type of mentality it's hard for any company to progress or even compete for any length of time.
Security is everyones business and everyones involvement is essential. Education is the foundation not the buzz word.

A companys survival depends on everyones involvement and commitment to the company AND the companys commitment to them.

Collapse -

That piece of plastic on the back of a car

by HAL 9000 Moderator In reply to You get what you pay for

Does have a use it tells you where the car ends when you are backing it up but admittedly it does require more fuel to drive the car with it on.

Have you ever noticed that the people that you have described here are more likely than not accountants?

The very fact of adding accounts to the Management of any company almost inevitably leads to its demise. They seem to think of everything in sheer money terms and that all staff are replaceable particularly if they can outsource the job and get it cheaper. They are saving so much money and then wonder exactly why things go wrong.

Once upon a time I worked for a place who got a new CEO who was an accountant and he proceeded to sell off all the companies infrastructure well for the first year the company had a marvelous profit and wen he received his bonus he left as a highly regarded CEO but the guy that followed him inherited a mess that was never solved and eventually the company went broke but not before all the respected staff left the place in disgust.


Collapse -

Another "home run"

by Gerra In reply to Don't cut corners with se ...

Mr. Yarden has again spoken quite eloquently on the subject of security. If he had a place of business in Maine, I would definitely be knocking on his door for a job. As a student about to graduate from college with a Bachelor's Degree in Computer Information Systems, I am just getting into the world of computer security, and I would love to learn under such a knowlegeable individual.

Collapse -

Big business can be just as myopic

by dldigital In reply to Don't cut corners with se ...

I work for a major corporation that runs a network from coast to coast 2 years ago I did a risk assessment on my own time I forwarded it to my boss who thought it was well done and had merit, he forwarded it up the line and so on, and so on.... 9 months later we hired a head of security this persons job is to communicate with staff how important security is NOT to secure the network. Last month following a major virus outbreak in our intranet we received an e-mail stating how we shouldn't open attachments and how we shouldn't follow instructions/links to other websites the entire document took 3 pages with nice little pictures and lots of horror stories about what can happen if you do. 2 days after that e-mail was sent to all staff with much fanfare from mgmt about a pro-active security service our national IT services sent out a letter telling us all to launch the attached tool to fix a serious flaw in IE6.....DUH. They wonder why the ground trrops get frustrated

Related Discussions

Related Forums