Security Tools Not Enough!
Results 1 to 6 of 6

Thread: Security Tools Not Enough!

  1. #1
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912

    Security Tools Not Enough!

    We have been discussing the same scheme few days ago .... And most of us reached to the point that security tools linger not Completely prevent breaking into systems and gaining illegal access to sesitive data ... let's read this article

    Source

    Security tools play an important role in helping to protect corporate data. But technology fixes address only part of the overall security problem, according to several IT managers.
    "Technological breakdowns are rarely the source of the breach," said Tim O'Pry, chief technology officer at The Henssler Financial Group in Marietta, Ga. "More often than not, it's good old-fashioned human frailties."

    Addressing that issue often requires companies to increase their investments in user awareness, training and education, said Matt Kesner, CTO at Fenwick & West LLP, a law firm in Mountain View, Calif.

    Security managers "pay lip service to the issue but don't do a good job of training our users and employees," Kesner said. "A lot of people, even in senior positions, aren't aware of the threat every time you attach a computer to the Internet."

    Arshad Noor, CEO of StrongAuth Inc., a vendor of identity and compliance management software and services in Cupertino, Calif., said security risk-mitigation efforts should be integral to every new IT initiative.

    "If a business unit doesn't address potential vulnerabilities in its processes before it introduces a product to the market, it's not doing its job," Noor said. The same is true when IT systems and applications are being designed, he added.

    From a technology standpoint, the recent security incidents at several companies highlight the need for IT managers to focus on end-user authentication and identity management, said Howard Schmidt, eBay's chief information security officer.

    Schmidt said he thinks that in the future, companies will need to use more-robust two-factor authentication tools to vet access to confidential data.

    There's also an urgent need for companies to pay more attention to protecting stored data in addition to controlling network access, said Gartner Inc. analyst John Pescatore. "The biggest attacks are taking place at the point where data is stored," he noted.
    Shall we discuss this??

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Good points. I like how he mentions two-factor authentication.

    Bruce Schneier (yes, him again...I read his site regularly...good info there, ok?!?) had something to say awhile ago:
    http://www.schneier.com/essay-083.html

    http://www.schneier.com/blog/archive...n_twofact.html

    And in a nutshell, I agree with this: two-factor is essential to overcoming the problems with password authentication. It should have been done years ago. But two-factor will not help, as he states, with phishing. Especially with man-in-the-middle attacks who are piggy-backing into a trusted network, or syphoning bank account info, or other things. Two factor works, and works well, in it's limited role.

    I don't buy everything Bruce has to say as 'gospel', but he has an interesting insight on many things.

    This is the same old song and dance. You can't buy the state of "Secure". You can spend trillions on all the little doo-dad's you want. If you don't train your users, mitigate risks, build practices and standards that meet your security needs, and test solutions for compliance against those standards, you're simply blowing smoke.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Let's discuss it from the standpoint of a few basic premises and let's see where things fall down. Logically that would be the weak point in the current methodolgy....

    The Premises:-

    1. Humans introduce all security failures in computer systems since it is humans who design the hardware and the software, implement and configure both the hardware and the software and finally use the hardware and software.

    2. The vast majority of all security failures are the result of improper design, implementation or configuration, (or any combination of the three).

    3. In the cases where the security failure is not caused by 2. above it is the result of socially engineering untrained or unalert users or administrators or physical security issues such as access controls or dumpster diving.

    4. Most security tools used by security aware administrators can test for many of those things in 2. above but are not designed to be used in the case of 3. above.

    5. The intent of patches is to block design holes in badly designed software - preferably prior to a working POC or exploit becoming available.

    6. For the largest part the people with malicious intent currently lead the way in the security field - they find the holes others are not yet aware of giving them the opportunity to exploit them while their adversary has no defense.

    7. Stuff costs money. The more automated such as Nessus the less it costs. The less automated such as "Tiger Teaming" the entire organization the more it costs.

    8. Security is the balance between security and usability within the confines of a properly conducted risk assessment.

    I think those are the "basics" boiled down to the lowest common denominator, (feel free to suggest any you think I missed that are relevant).

    Within the confines of the above "8" and without going into scenario specific details where does the problem lie?

    I'll start by saying that the problem is pandemic. It starts with the developer and ends with the user. In between there are stumbling blocks for everyone involved. I think, for a large part rule 6 is a major problem and the tools can't address that. Also, obviously, there is either a business opportunity automating a tool for 3. above or there isn't an automated way to do it when there are so many unautomated physical assets available to be tested. I think those are where the major problems lie...

    Thoughts?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    8. Security is the balance between security and usability within the confines of a properly conducted risk assessment.
    Excellent definition. May I modify, possibly for my own benefit? ... Security is the balance between access restrictions and usability within the confines of a properly conducted risk assessment and formulated incidence response.

    I was looking for a word that would intersect a risk assessment with the appropriate response and definition of what constitutes a breech or suspect occurance.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Road:

    Security is the balance between access restrictions and usability within the confines of a properly conducted risk assessment and formulated incidence response.
    OK... Better...

    Road's definition replaces number 8... It's more broad reaching yet non-"scenario specific". It includes an additional set of skills but those skills are very important....

    Thanks, nice addition....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    Posts
    912
    Actually the two-factor authentication has a brilliant future, and I agree with zencoder that this swervice should has been used long time ago.........................................

    Tiger, the listed Premises are really perfect ... and IMHO, there in nothing to add ... you had died on ...

    As I always state that the main reason behinde breakdowns is the human factor ..... at least to some extentions ... of course I exclude ill software ... I don't wanna say that an ill program is perfect if the user is mighty .. no ... I think this an integral process ....
    [1] Powerful tool + Powerful user = unvulnerable premises
    [2] weak tool + weak user = vulnerable premises {Havoc Outcomes}
    [3] Powerful tool + weak user = Almost died premises
    [4] Weak tool + Powerful user = Almost dies premises

    the 3 and 4 equations have the same consequence {Aftermath}. Whilst the first one looks meeting what the security industry is looking for from very beginning ....

    Just my $0.02

    Cheers
    \"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
    Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •