Nice People Thread No. 14, all Nice and Proper

Generali

kabayiri wrote: »

You don't even need separate computers. You can build up security in depth on a laptop. I've used one of mine in a work context, using virtualisation at the hardware level. It was signed off in a secure facility too, but I can't go into details. Obviously, you need to know what you are doing.

I suspect that they worked on the basis that if it's completely separate nothing can go wrong. Rather like Governments are increasingly using typewriters (supposedly). Can't hack those suckers.

kabayiri

vivatifosi wrote: »

...
It beggars belief that a major comms company could be on its third large scale breach in a year and still not done this. That shows either massive naivety or total disregard for their customers.

It boils down to *money* and time pressures : pressure to get projects in on time.

Security is not a specialist subject to most PMs. Most PMs are not that technically aware. Data security even less so. They plan security testing too late in the project.

Breaches using methods we are not yet aware of will happen in the future. You can build containment methods though.

I presented my boss a while back with hundreds of thousands of customer records on an USB stick, to illustrate that the system wasn't secure yet ... even though the security consultants had signed it off. He was, err, surprised to say the least!

michaels

kabayiri wrote: »

You don't even need separate computers. You can build up security in depth on a laptop. I've used one of mine in a work context, using virtualisation at the hardware level. It was signed off in a secure facility too, but I can't go into details. Obviously, you need to know what you are doing.

Isn't 'virtualisation at the hardware level' pretty close to having a separate computer anyway?!

michaels

kabayiri wrote: »

It boils down to *money* and time pressures : pressure to get projects in on time.

Security is not a specialist subject to most PMs. Most PMs are not that technically aware. Data security even less so. They plan security testing too late in the project.

Breaches using methods we are not yet aware of will happen in the future. You can build containment methods though.

I presented my boss a while back with hundreds of thousands of customer records on an USB stick, to illustrate that the system wasn't secure yet ... even though the security consultants had signed it off. He was, err, surprised to say the least!

Lucky you didn't drop the usb stick on the train on the way to the meeting....

kabayiri

michaels wrote: »

Isn't 'virtualisation at the hardware level' pretty close to having a separate computer anyway?!

Indeed. For those interested, googling vt-x is worthwhile.

Intel were a bit inconsistent in their support for it amongst first gen "core" processors though. I think they saw the feature as a premium item, in higher end models.

kabayiri

michaels wrote: »

Lucky you didn't drop the usb stick on the train on the way to the meeting....

Aren't all work USB sticks encrypted nowadays? Plus, nobody held onto a USB stick overnight. They were logged into a safe every night.

None of this in itself is perfect of course. It's about defence in depth.

I think we should talk about general cases now...not specifics.

kabayiri

michaels wrote: »

It is only names, addresses, bank details, dob, email address so nowt serious :eek: - and what odds that passwords weren't encrypted either? Honestly for a large company to fail to secure customer data should be a criminal offence on the part of the directors, clearly the incentives are all wrong at the moment.

We can only speculate at the moment because of a lack of knowledge. Most of these press releases are guarded, to say the least, probably to protect reputation.

I suspect they realised on Wednesday that someone could access the production database via a website weakness. Someone is going to be busy trawling the server logs!

This weakness was possibly introduced due to an error during an upgrade; it's unlikely it was there for a long time.

Plus, the database should not hold unencrypted passwords.

Hopefully, they will have implemented Layered Defense.

Generali

@kabayiri - What should someone who is an ordinary mortal with kids that will just download any old crap because their mate did do as some basic steps to protect themselves?

PasturesNew

Generali wrote: »

@kabayiri - What should someone who is an ordinary mortal with kids that will just download any old crap because their mate did do as some basic steps to protect themselves?

Put the kids up for adoption. This has the added bonus of freeing up your weekends to drink beer and watch telly uninterrupted.

kabayiri

Generali wrote: »

@kabayiri - What should someone who is an ordinary mortal with kids that will just download any old crap because their mate did do as some basic steps to protect themselves?

I didn't say I was a kids expert! Most kids have an innate ability to find any malware going.

You can run win10 preRelease in a Virtual Machine. That might be a bit OTT though.

Make sure you use the parental settings. If its windows/MAC have an antivirus and malware software installed. Have their own laptop perhaps?

I wish I could give better advice, but my kids ignore me!

DD's laptop runs Ubuntu. She hates it of course because its not a shiny Macintosh laptop. Suits me fine

You can dual boot Ubuntu with Windows easily on a laptop. That would isolate different functions.