Contributors   |   Messages   |   Polls   |   Resources   |  
Comments
clrmoney
clrmoney
10/24/2017 2:20:31 PM
User Rank
Platinum
Security Need Human Touch
I think that they should do that because the virtual online is taken over by machines. We do need more humans doing security so you know it will be more accurate in a way like recuiting software that  most companies have to sift through candidates to find the best person for the position, but I think it wrong because they miss out on a lot of great people more than qualified to do the simplest work.

50%
50%
JohnBarnes
JohnBarnes
10/24/2017 2:34:13 PM
User Rank
Platinum
One of the few pieces I've seen that focuses on operations
Most of the security articles out there are about tactics -- changing passwords often, tracking former employees, where to put checkpoints, which of the various attacks and exploits are most likely to hit a given industry, etc. Almost all of the remainder are about strategy: the quest for the naturally secure architecture, emerging kinds of threat organizations, broad categories of new kinds of attacks, etc.

But between strategy and tactics lies operations -- how to support the tactics so that the strategy gets carried out -- and this is generally a very neglected area.  It's good to see Ray Watson's broad systematic thinking about operational issues like how much should be inside any one barrier (and the tradeoff between ease/frequency of successful attacks versus cost/damage); centralization and rapid update of credentials; defending against long-term penetration versus smash-and-grab (I would call it subversion versus raiding); and the separation of IoT from SDN/NFV for the foreseeable future.  Those are operational kinds of definitions. 

Great pair of articles. Would love to hear more from Ray Watson.

50%
50%
Joe Stanganelli
Joe Stanganelli
10/24/2017 2:57:01 PM
User Rank
Author
Re: One of the few pieces I've seen that focuses on operations
@John: Moreover, the practicalities of operations directly tie into strategy and tactics.

For instance, 94% of respondents in a recently published cloud-security study said that containerization results in less security.

Now, that may be technologically true -- and/or, rather, it may be operationally true as a matter of complexity, change management, etc.

Either way, however, it doesn't matter who or what you blame because the result (if these 94% are to be believed) is less security.

Ditto for any new technology. Any added complexity can lead to a negative -- even a net negative -- for security, even if it's a technology that's supposed to be technologically superior from a security perspective.

50%
50%
JohnBarnes
JohnBarnes
10/24/2017 4:22:13 PM
User Rank
Platinum
Re: One of the few pieces I've seen that focuses on operations
Joe, if nothing else there's a process rather similar to what happens when a crab sheds its shell (hint: guess why softshell crab is a delicacy!) or when the Little Pigs were running from the house of straw to the house of sticks to the house of bricks, i.e. even if at the end you're more secure, getting from Unacceptable to Much Better can involve being extra-vulnerable.

50%
50%
JohnBarnes
JohnBarnes
10/24/2017 2:54:34 PM
User Rank
Platinum
Maybe take a cue from Richard Thaler
Richard Thaler, who recently won the Somewhat Bogus But Still Respectable Nobel Prize in Economics, pioneered the economic implications of the idea that small incentives could be built into systems where voluntary compliance was important -- the things he likes to call "nudges." Seems to me that the eternal human problem that Ray Watson talks about here -- getting people to change passwords and choose good ones, not to provide access for other people who might not be supposed to have it, not writing down security information in insecure locations -- is exactly the situation for which Thaler's nudges are appropriate. Yet many security folk, all the way from the guy on the floor to the guy in the C suite, tend to think of security as "making" or "forcing" the user to do something added and inconvenient. There's a fertile field out there for seeing what might be done to make security enhancements the convenient, easy thing to do.

Simple example: around the world many intelligence agencies have a single font for a whole building (which drives quite a few people crazy, admittedly, since they feel their individuality is eroded if everyone must use Times New Roman).  They also have no unsecure wastebaskets and required turn-in dates for manuals (even if the manual is just a printout of a widely publicly available text).  The result is that their valuable secure documents go into the shredder with tons of low-value public documents -- and anyone trying to pick through the shredded paper will have to sort out the top secret menu from the Power Point manual, the notes from HR about meeting the United Way goal, and the letter outlining the new rules for coffee club.  No special policy of "always print random documents to add to the mix" and "make random documents resemble regular text in an appropriate language" and so on.  Just, the way the office runs, doing what comes naturally supplies all that chaff for increased security.

50%
50%
elizabethv
elizabethv
10/25/2017 8:29:09 AM
User Rank
Platinum
Re: Maybe take a cue from Richard Thaler
@John - first, I have to agree, only having the choice of Times New Roman would drive me up a wall too. I think the nudges are well combined with a theory I was taught by a work supervisor in my teens. 90% of people do what's right because there are practices in place that monitor them doing so. I have no idea where his statistic came from, or how accurate it is. I just know that's what he told me. So with that information, the nudges make sense. Even though we all know the basics for good security practices, sometimes a reminder that we need to "tow the line" so to speak, helps keep people on the right track. 

50%
50%
JohnBarnes
JohnBarnes
10/25/2017 2:27:06 PM
User Rank
Platinum
Re: Maybe take a cue from Richard Thaler
ElizabethV,  That's almost exactly the opposite of what Thaler meant by nudges; his research showed that monitoring and supervision are often the more expensive and less effective way of doing things.  A nudge is making the thing you want people to do the easiest thing to do, so that they tend to just do that. So rather than have someone whose specific job is to mix the high-security documents with chaff in the same fonts at the shredder, you just disable all but one font and shred all the wastepaper; now, rather than doing the right thing (sort of) because a compliance officer is watching them, employees do the right thing because anything else requires too much effort.

That's also part of the reason why many companies impose so many requirements on passwords (mixed capitals and lowercase, special characters, numbers, narrow length requirments, etc): it makes it hard to remember and type the password.  The people coming into the secure area will then mess up and/or forget frequently, and if you also block them from using previous passwords, they now have to change their passwords at frequent irregular intervals -- which is what you really want them to do.

The whole trick of a nudge is to avoid  supervision and monitoring, in favor of just making the desired behavior the easiest one.

50%
50%
srufolo1
srufolo1
10/25/2017 11:40:45 AM
User Rank
Platinum
Masergy's Watson
I agree that the human factor is what is the biggest security risk. Corporations need to stay on top of employees who have left, eliminate their passwords, watch what employees are doing at work on the computer. It's a huge task. Someday I hope they get it right. I remember one company I worked at there was a person who was working on a research project. When they left on bitter terms, they destroyed all the data and it had to be started from scratch. 

50%
50%
JohnBarnes
JohnBarnes
10/25/2017 2:34:38 PM
User Rank
Platinum
Re: Masergy's Watson
srufolo1,

Classic case for a nudge (as well as for what the data scientists call reproducible results) -- require all reports to be generated from scratch beginning with library calls to access company datasets, and to be transmitted as code that the supervisor runs on the same library of datasets. Makes it difficult to fake or pretty up the results, and nearly impossible for a disgruntled employee to do much damage. As a side benefit it also makes recovery after oopsies, and finding "that one cool result we got last March, or was it February?" much easier.

50%
50%
elizabethv
elizabethv
10/26/2017 8:05:36 AM
User Rank
Platinum
Re: Masergy's Watson
@srufolo1 - my company recently had a data breach - my understanding is that it came through our email system. It was caught right away and handled, and we are a small company, so it wasn't newsworthy in the slightest. But it never occurred to me that the offender might have some how been tied to an ex-employee. Nothing was said to me about how it might have happened, I'm just thinking at this point. Especially given that it really doesn't make sense to breach the data of my employer, given that we don't have stored credit card information (we don't do that kind of business) and we really are very small. So I have no idea what kind of information might have even been taken. An ex-employee seems to make the most sense. 

50%
50%
srufolo1
srufolo1
10/26/2017 9:34:11 AM
User Rank
Platinum
Re: Masergy's Watson
@elizabethv  A disgruntled employee can do a lot of damage. For data of a huge listing or report to be published just weeks before all the data is destroyed and to start over is a big deal. It doesn't matter what the hacker is going after, either to create havoc or to steal credit card info or social security numbers.

50%
50%
dchampagne70
dchampagne70
10/30/2017 11:03:39 AM
User Rank
Silver
Masery's Watson
I agree that secuity always have to have the human touch to it.  I just don't know if it's a 100% good choice.  Well I think  part of the reason why many companies impose so many requirements on passwords (mixed capitals and lowercase, special characters, numbers, narrow length requirments, etc): it makes it hard to remember and type the password.  

50%
50%
dlr5288
dlr5288
10/31/2017 8:15:42 PM
User Rank
Platinum
Re: Masery's Watson
Definitely agree. I get why they’re doing it. However, sometimes it will take me a few tries to remember my own! That’s why I try staying logged in most of the time.

50%
50%


Latest Articles
Italy's 5G auction could exceed a government target of raising €2.5 billion ($2.9 billion) after attracting interest from companies outside the mobile market.
The emerging-markets operator is focusing on the humdrum business of connectivity and keeping quiet about some of its ill-fated 'digitalization' efforts.
Three UK has picked Huawei over existing radio access network suppliers Nokia and Samsung to build its 5G network.
Vendor says that it's its biggest 5G deal to date.
Verizon skates where the puck is going by waiting for standards-based 5G devices to launch its mobile service in 2019.
On-the-Air Thursdays Digital Audio
Orange has been one of the leading proponents of SDN and NFV. In this Telco Transformation radio show, Orange's John Isch provides some perspective on his company's NFV/SDN journey.
Special Huawei Video
10/16/2017
Huawei Network Transformation Seminar
The adoption of virtualization technology and cloud architectures by telecom network operators is now well underway but there is still a long way to go before the transition to an era of Network Functions Cloudification (NFC) is complete.
Video
The Small Cell Forum's CEO Sue Monahan says that small cells will be crucial for indoor 5G coverage, but challenges around business models, siting ...
People, strategy, a strong technology roadmap and new business processes are the key underpinnings of Telstra's digital transformation, COO Robyn ...
Eric Bozich, vice president of products and marketing at CenturyLink, talks about the challenges and opportunities of integrating Level 3 into ...
Epsilon's Mark Daley, director of digital strategy and business development, talks about digital transformation from a wholesale service provider ...
Bill Walker, CenturyLink's director of network architecture, shares his insights on why training isn't enough for IT employees and traditional ...
All Videos
Telco Transformation
About Us     Contact Us     Help     Register     Twitter     Facebook     RSS
Copyright © 2024 Light Reading, part of Informa Tech,
a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use
in partnership with