back to article Cutting edge security: Expensive kit won't save you

We all want to protect our customer and employee data, but as the threat landscape changes and the publicly disclosed data breaches get increasingly larger, our approach may need to change. What constitutes "state of the art" information security in 2016? It’s tempting to create a listicle of 10 shiny new security tools that …

  1. Ian Michael Gumby Silver badge

    Two factor authentication is a start.

    Companies have switched to a two factor authentication. I love it.

    I have a token generator that uses a password that I created to generate a token/pin.

    I then log in using my LDAP/AD password and the token to establish my link.

    The same could be said for using a token generator on your phone too.

    If only my banks did this...

    Will it stop data theft? No. But it would make it harder.

    1. Anonymous Coward
      Facepalm

      Re: Two factor authentication is a start.

      Except if your computer resides on the same device as your phone and your computer is already compromised. The SMS msg can be intercepted and passed to a third party where they can use it to authenticate a withdrawl at their end.

      1. P. Lee Silver badge

        Re: Two factor authentication is a start.

        >Except if your computer resides on the same device as your phone

        Or indeed, if you run "unified comms" like imessage, it is unexpectedly no longer two-factor. Malware can make the banking request and receive/process the SMS auth codes without compromising the phone.

        Of course, it should be possible to tell imessage not to sync messages from your bank or with messages with some specific text in it, but that puts the onus back on users who rarely realise that there is even an issue.

        I suspect a large amount of effort should be directed at OS design, preventing successful attacks even if the users do something stupid, like running flash or some other randomly downloaded executable. I'm thinking of things like, jailed execution of web interfaces, manifests for executables which may include an "origin https url" which can have certificate and md256sum checks built in. Flags for executables which have the same name as other well-known executables from different domains. Flags for "you're installing program X, but it is trying to mess with something in the directory tree of program Y - are you sure you want to do that?" Clear library separation, so OS utilities can't be infected by application-installed libraries.

        I don't think all of these things are exceptionally difficult, neither do they prevent ultimate stupidity, but at the moment OS providers of all stripes (and yes, that includes my favourite FOSS OS as well as the OS' people actually pay money for) are not doing enough.

  2. John Stoffel

    So who pays for this in the outsourced world?

    So, the monkey in the room is who pays for all this? With companies under pressure to reduce costs, paying for a bunch of sophisticated and well trained guys (and gals!) to sit around monitoring logs and looking for threats is where on the priority list?

    This all sounds awesome, but it's hard enough getting them to buy firewalls, but asking them for a central logging infrastructure and the software to collate, sort and mine this for threats is going to be tough tough tough. Or it will get just tossed at the regular IT staff as another one of the multitude of things on their plate.

    Unless it's made part of PCI, or the insurance or regulators require this stuff, it ain't going to happen except in cindarella circumstances.

    John

    1. Mike Pellatt

      Re: So who pays for this in the outsourced world?

      Absolutely. Especially when it comes to properly managing "need-to-know" access granularity. It seems to me that it's impossible for this not to be a highly labour-intensive activity.

  3. Anonymous Coward
    Anonymous Coward

    PHB syndrome

    as well as the "who pays", there's also the "we've got firewalls, data diodes on secure systems, and antivirus, so we're secure and everything's fine" approach,

    The approach that ignores the fact that the only guy in the company who actually knows how the data diode works has now left, the antivirus uses 90% CPU so everyone tries to kill it if they can, and the firewalls didn't stop the guy who walked out with the sales database on a USB stick ....

    Latest and greatest toys & tools don't help if attitudes are PHB-ish.

  4. allthecoolshortnamesweretaken

    Expensive kit won't save you

    No, it won't. 'cos you ain't gonna get it in the first place.

  5. cschneid

    follow the (lack of desire to spend) money

    Corporation X will not be willing to pay for the skills outlined in the article until a well-publicised breach occurs. Staff possessing those skills will then be acquired and kept until the next round of redundancies. Repeat until this is so commonplace it is no longer news.

    It's cheaper to hire someone who shouts random quotes from a NIST manual.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019