Cutting edge security: Expensive kit won't save you We all want to protect our customer and employee data, but as the threat landscape changes and the publicly disclosed data breaches get increasingly larger, our approach may need to change. What constitutes "state of the art" information security in 2016? It’s tempting to create a listicle of 10 shiny new security tools that …
Companies have switched to a two factor authentication. I love it.
I have a token generator that uses a password that I created to generate a token/pin.
I then log in using my LDAP/AD password and the token to establish my link.
The same could be said for using a token generator on your phone too.
If only my banks did this...
Will it stop data theft? No. But it would make it harder.
>Except if your computer resides on the same device as your phone
Or indeed, if you run "unified comms" like imessage, it is unexpectedly no longer two-factor. Malware can make the banking request and receive/process the SMS auth codes without compromising the phone.
Of course, it should be possible to tell imessage not to sync messages from your bank or with messages with some specific text in it, but that puts the onus back on users who rarely realise that there is even an issue.
I suspect a large amount of effort should be directed at OS design, preventing successful attacks even if the users do something stupid, like running flash or some other randomly downloaded executable. I'm thinking of things like, jailed execution of web interfaces, manifests for executables which may include an "origin https url" which can have certificate and md256sum checks built in. Flags for executables which have the same name as other well-known executables from different domains. Flags for "you're installing program X, but it is trying to mess with something in the directory tree of program Y - are you sure you want to do that?" Clear library separation, so OS utilities can't be infected by application-installed libraries.
I don't think all of these things are exceptionally difficult, neither do they prevent ultimate stupidity, but at the moment OS providers of all stripes (and yes, that includes my favourite FOSS OS as well as the OS' people actually pay money for) are not doing enough.
So, the monkey in the room is who pays for all this? With companies under pressure to reduce costs, paying for a bunch of sophisticated and well trained guys (and gals!) to sit around monitoring logs and looking for threats is where on the priority list?
This all sounds awesome, but it's hard enough getting them to buy firewalls, but asking them for a central logging infrastructure and the software to collate, sort and mine this for threats is going to be tough tough tough. Or it will get just tossed at the regular IT staff as another one of the multitude of things on their plate.
Unless it's made part of PCI, or the insurance or regulators require this stuff, it ain't going to happen except in cindarella circumstances.
John
as well as the "who pays", there's also the "we've got firewalls, data diodes on secure systems, and antivirus, so we're secure and everything's fine" approach,
The approach that ignores the fact that the only guy in the company who actually knows how the data diode works has now left, the antivirus uses 90% CPU so everyone tries to kill it if they can, and the firewalls didn't stop the guy who walked out with the sales database on a USB stick ....
Latest and greatest toys & tools don't help if attitudes are PHB-ish.
Corporation X will not be willing to pay for the skills outlined in the article until a well-publicised breach occurs. Staff possessing those skills will then be acquired and kept until the next round of redundancies. Repeat until this is so commonplace it is no longer news.
It's cheaper to hire someone who shouts random quotes from a NIST manual.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
