The TAO of Security: Risk Management & Disaster Recovery

  • Thread starter airborne18
  • Start date
  • Tags
    Security
In summary, technology has gotten to the point where bandwidth is cheap and there is instantaneous communication from the desktop to the portable phone across a global enterprise. This has led to a situation where decision makers find the exception and introduce fundamentally flawed ideas into the workflow and technology of an organization.
  • #1
airborne18
22
0
Security, Risk Management, and Disaster Recovery is one area where I am an expert ( worked for SunGard, years ago.).

Since we are scientists, techologists, and overall rational people on this board I will post some insights into this, and hopefully you can apply this where you work and live.

Technology has gotten to the point where bandwidth is cheap and there is instantaneous communication from the desktop to the portable phone across a global enterprise.

The mantra is that 'we do because we can', and that is the largest threat to organizational security. You hear people say that an older network was more secure, and it was, because primitave technology in itself is was poor in features and thus did not present the opportunity for security breaches.

We let marketing departments of product vendors convince us to compromise common sense for the sake of convince and gadetry.

Networking hardware vendors want everyone in your organization downloading porn at blazing speeds. Back when network bandwidth was expensive ( both from the standpoint of hardware and connection bandwidth) decisions concerning email and the internet were taken seriously. The receptionist did not have internet access, and email was limited.

Introducing wireless routers into your organization creates a massive security hole. As does handing everyone a smart phone with apps that tie back into your organization.

Every time someone leaves the building with a laptop, that is a security risk.

It has gotten to the point where decision makers find the exception, and convince themselves that it is a justification to introduce fundamentally flawed ideas into the organization's workflow and technology.
 
Computer science news on Phys.org
  • #3
I really have to disagree with this. Security is one thing but, cutting off people from their ability to work makes no sense.

I have had my work disrupted and circumvented by overzealous corporate system administrators who couldn't care less about what we are in business for. For example, last year they cut off access to downloading Firefox because it wasn't an "approved browser". It never occurred to them that our customers preferred it and we (and many other projects in the company) were contractually required to test software with it. Our only choice was to download it outside of work and install it that way - real nice security courtesty of the admins. We also have admins that regularly cut off previously agreed-to ports that are being used by our customer. It's so much fun to spend an entire day re-explaining why that port has to be available.
airborne18 said:
The mantra is that 'we do because we can', and that is the largest threat to organizational security. You hear people say that an older network was more secure, and it was, because primitave technology in itself is was poor in features and thus did not present the opportunity for security breaches.

We let marketing departments of product vendors convince us to compromise common sense for the sake of convince and gadetry.
Older networks were not more secure because of a lack of features - there just weren't as many viruses and trojans as there are now. There are lots of people who still use primitive technology and they are at the most risk. You seem to advocate cutting off the use of all technological advances. Why not just unplug everyone from the internet and do away with computers entirely? That would be very secure but it wouldn't be realistic either. Network security is an ongoing endevour that has to be balanced with the needs of an organization AND changing technology.
airborne18 said:
Introducing wireless routers into your organization creates a massive security hole. As does handing everyone a smart phone with apps that tie back into your organization.

Every time someone leaves the building with a laptop, that is a security risk.
There is such a thing as encryption. It can be used in each of these cases. My laptop's entire hard drive is encrypted along with other security measures. Good luck getting any data off of it if it gets stolen.
 
  • #4
Borg,

First, I am talking much older networks. You cannot have a virus if server does not execute data coming in a network pipe. You can't put a virus on a novell server, not the old ones. Try installing an NLM over the network. It was a lack of technology. I think it is timeframe. I am talking back a bit farther. Back when TCP/IP was a curiosity.

Am I saying we should go back to that? No, but it illustrates how convience and distributed applications with the open connectivity from any workstation to the internet has really created a security challenge.

And there is no way to secure a wireless network. That is not a theory. Yes there are technolgoies, but it requires expensive technology which is not even avaible to the home user.
A laptop and a $200 investment and a few applications and you can hack any wireless network. So if you can access your wireless network, what do you think is preventing anyone else? Does your router lockup if someone attempts too many tries at the passskey? Nope.
Even limiting it by wireless card machine ID is easy to hack.

There are ways to limit the risk, but it is very hard to eliminate it. The military and government do it because they have no limit to budget, but companies do have a limit.

One way you can help yourself is to not broadcast the SSID and change the passkey every day. Plus you can limit connections by the Machine ID of the wireless cards. It is really a numbers game. How many permutations the application cracking your network will have to perform. It will eventually do it, so by changing the parameters you limit the window.

I cannot tell anyone how to hack anything, it is a contractual thing, you cannot get certified if you break the ethic. But it is not hard. Just keep in mind that if you have wireless coverage outside your home or office, then anyone has coverage. So limiting the range is one way to really help prevent.

Again it goes back to who is minding the store. Just because cisco creates the ability to do X, there is no reason everyone has to buy it. They are selling a product, so they will push technology to the limit. It does not mean you have to buy into it.

And the issue with connectivity. Remember proxy servers? Well they are back in vogue again, and the reason is not to save money on the cost of bandwidth as they were intended. Now it is for security.

And no, there is no reason for everyone in the company to have internet access. It kills productivity and it is a security risk. Any reason that a bank teller needs internet access? Considering the application that can access anyones financial information is on the same workstation?



Borg said:
I really have to disagree with this. Security is one thing but, cutting off people from their ability to work makes no sense.

I have had my work disrupted and circumvented by overzealous corporate system administrators who couldn't care less about what we are in business for. For example, last year they cut off access to downloading Firefox because it wasn't an "approved browser". It never occurred to them that our customers preferred it and we (and many other projects in the company) were contractually required to test software with it. Our only choice was to download it outside of work and install it that way - real nice security courtesty of the admins. We also have admins that regularly cut off previously agreed-to ports that are being used by our customer. It's so much fun to spend an entire day re-explaining why that port has to be available.

Older networks were not more secure because of a lack of features - there just weren't as many viruses and trojans as there are now. There are lots of people who still use primitive technology and they are at the most risk. You seem to advocate cutting off the use of all technological advances. Why not just unplug everyone from the internet and do away with computers entirely? That would be very secure but it wouldn't be realistic either. Network security is an ongoing endevour that has to be balanced with the needs of an organization AND changing technology.

There is such a thing as encryption. It can be used in each of these cases. My laptop's entire hard drive is encrypted along with other security measures. Good luck getting any data off of it if it gets stolen.
 
  • #5
Keep this in mind about security.

There is a not a single off the shelf solution, and you have to think in terms of security in its entirety.

I am not talking about the government, but your corporate, small business, or home. It is not a matter of if you have a security risk, you always do, no matter what you use. Cracking any security scheme is really just a numbers game, and opportunity.

Any scheme can be cracked. How do you think Law Enforcement gathers computer evidence? In Delaware they go after child pornograpy aggressively, and they nail people who download. I won't get specific, but there has not been a single computer system that they have not been able to recovery evidence from, not one. ( I really cannot go into it, but trust me, it is very easy to recover information ).

The hasp key type solutions are good, don't get me wrong, but it is not the sole solution. And the software driver encryption for hard drives is good, but it has some flaws. And performance is not the only drawback.

Besides if you are taking your laptop to a public access point people do not need your computer, you have basiclly attached your system to an open network.

Every packet on a wireless network can be captured, encrypted or not. And the access point itself is open to anyone. Would you let anyone walk in your work and plug into a network connection? Actually that is less of security risk than wireless network, because depending on the switch, they cannot see all the network traffic.

For your own home network, you can do a simple exercise. Walk around the house with your laptop and see how far you can still connect to the network. If you want outdoor internet accesss then get another wireless router that can only connect to the internet, and then move the other router to a position that is not accessable from outside the house.

If you have issues moving the router, then buy window film that blocks the broadcast from going outside.

Sounds like common sense, it is. But you have to think about security at every level.

Another thing. Delete the default accounts in whatever software you install. Why give someone an easy way to hack, if they know the default accounts then they really only have to figure out the password.
 

What is the TAO of Security?

The TAO of Security is a risk management and disaster recovery framework designed to help organizations protect their assets and mitigate potential threats. It emphasizes a holistic approach to security, taking into account not just technology, but also people and processes.

Why is risk management important?

Risk management is important because it helps organizations identify and assess potential threats to their assets, allowing them to prioritize and implement controls to mitigate those risks. It also helps organizations make informed decisions about resource allocation and ensure business continuity.

What is the difference between risk management and disaster recovery?

Risk management is the process of identifying, assessing, and mitigating potential risks to an organization's assets. Disaster recovery, on the other hand, is the process of preparing for and responding to a disaster or major incident that has already occurred. While risk management aims to prevent or minimize the impact of potential risks, disaster recovery focuses on recovering from an actual event.

How does the TAO of Security incorporate disaster recovery?

The TAO of Security incorporates disaster recovery by emphasizing the importance of business continuity planning and incident response. It encourages organizations to have a plan in place for how to respond to and recover from a disaster, and to regularly test and update this plan as needed.

Can the TAO of Security be applied to any organization?

Yes, the TAO of Security can be applied to any organization, regardless of size or industry. It is a flexible framework that can be tailored to the specific needs and resources of each organization. However, it is important to note that the level of risk and potential threats may vary between organizations, so the implementation of the TAO of Security may also vary.

Similar threads

Current and Future AI Threats to Humanity and the Human Response
    • Computing and Technology
Replies
10
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
    • Programming and Computer Science
Replies
8
Views
2K
BRS: PKI Cryptosystems for SA/Ms: A Tutorial
    • Special and General Relativity
Replies
13
Views
2K

Hot Threads

Recent Insights

Back
Top