Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default Compliance is Not Synonymous With Security

    We live in a world where logic, reason, and evidence can't be a basis for the herd's actions (that's simply wrong-think) :-J , but if it "feels" right to the collective, allow it, and force others to partake. Everyone gets cake...racing to the bottom is the joy of our technocracy. D'oh!

    "While many compliance standards do provide valuable guidance in areas such as data storage, user privacy, and breach disclosure, there are many more critical areas that they do not address. Security awareness, business continuity and penetration testing, employee education, and technical and policy controls are only a few of many such examples."
    https://www.securityweek.com/complia...ymous-security
    Last edited by f1assistance; 05-26-2018 at 04:25 AM.
    ccollinscj likes this.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  2. #2
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    460

    Default

    This is a crucial sentence: “Threats evolve faster than compliance standards do.”

    Bad actors are solely responsible for this. Consider the scope of the task of developing standards proactively; against an unknown future threat landscape. Then consider the task facing a small business especially (our market here) in filling in the missing pieces even if standards could be proactive.

    But just as importantly, business sector technology moves slower than the bad actors. The article highlights record breaches in the medical sector. This is in part due to the slow pace of technology development in that sector. Even a brilliant SMB security protocol bumps up against hard technology limits.

    Compound all this with how SMB security actually happens. I can’t even find two rural building inspectors who agree on everything let alone someone capable of building a comprehensive security protocol tailored specifically for any given business. Security specialists aren’t typically educators (so they aren’t practiced at transmitting knowledge even if they think that’s important) nor are they typically team players. They are take-charge by nature, meaning any given geographic area populated primarily by SMBs has a mere handful of the expensive specialists to hire, and nobody is inspecting their work.

    This isn’t a herd problem. This is an infrastructure problem of vast proportions caused by bad behavior not primarily by business people but by unscrupulous bad actors who unfailingly have advantages superior to the resources of SMBs.
    Last edited by Sam Graf; 05-26-2018 at 06:10 AM.
    f1assistance likes this.

  3. #3
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    We have known for 30+ years how how to protect our digital assets, and defend against binary threats. Unfortunately, few these days seem willing to make the hard choices required to accommodate such a domain...instead they hope the State will somehow safeguard them with policy. D'oh!
    Until we get back to a footing of TNO and deny risky behaviour, the charade of fear will simply continue...
    An admission that regulation protects anything is the height of irresponsibility, whining about our current state of technology doesn't secure a byte, and hope is not a reasoned strategy! #FrustratedByTheAmountOfIgnoance
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  4. #4
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    LOL Eatting cake! From those who supposedly know better...stupid is as stupid does!
    A lesson and concerning description tells of how many separate systems touch and should reside in isolation...D'oh!

    "Years of Police Dashcam Video Lost in Atlanta Ransomware Incident"
    https://www.bleepingcomputer.com/new...ware-incident/
    Last edited by f1assistance; 06-06-2018 at 01:59 AM.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  5. #5
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    More Barbara Streisand to convince the addicts they can have their cake and eat it too, that you simply have mis-configured your devices and apps...WRONG! The problem isn't you, but them...it's a surveillance platform working exactly its design.

    Wake up, Neo...

    The Smart Grid has you...

    "Data Privacy: Why It Matters and How to Protect Yourself"
    https://www.linuxjournal.com/content...otect-yourself
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,429

    Default

    Quote Originally Posted by Sam Graf View Post
    This is a crucial sentence: “Threats evolve faster than compliance standards do.”

    Bad actors are solely responsible for this. Consider the scope of the task of developing standards proactively; against an unknown future threat landscape. Then consider the task facing a small business especially (our market here) in filling in the missing pieces even if standards could be proactive.

    But just as importantly, business sector technology moves slower than the bad actors. The article highlights record breaches in the medical sector. This is in part due to the slow pace of technology development in that sector. Even a brilliant SMB security protocol bumps up against hard technology limits.

    Compound all this with how SMB security actually happens. I can’t even find two rural building inspectors who agree on everything let alone someone capable of building a comprehensive security protocol tailored specifically for any given business. Security specialists aren’t typically educators (so they aren’t practiced at transmitting knowledge even if they think that’s important) nor are they typically team players. They are take-charge by nature, meaning any given geographic area populated primarily by SMBs has a mere handful of the expensive specialists to hire, and nobody is inspecting their work.

    This isn’t a herd problem. This is an infrastructure problem of vast proportions caused by bad behavior not primarily by business people but by unscrupulous bad actors who unfailingly have advantages superior to the resources of SMBs.
    Most of our risk goes out the window if we have systems that won't execute unsigned code. You can eliminate it entirely if you whitelist specific digital signatures of known trusted software vendors.

    Sadly, Microsoft has refused to make that sort of thing fully possible, much less easy to manage.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    460

    Default

    Maybe I'm making this harder than it needs to be. Consider the following real world SMB examples:

    Want to do on-line banking with _______ Bank? For everyone's protection, you must install and use ________ Bank's proprietary security software.

    Want to use ________'s remotely managed keyless entry system (for SMBs with more than one location)? You must install and use _________'s management software and _________'s hardware which must be allowed to communicate with each other over publicly open ports.

    Or these examples from the SMB medical world:

    Want to submit urine samples to ________ for lab analysis? You must use ________'s application software which must be remotely installed by _________.

    Need to operate an affordable (i.e., PC-based) ultrasound machine? You cannot update/patch the installed version of Windows XP because that will break the ultrasound application, but rest assured because Windows Firewall is factory configured.

    My point with all this is to illustrate how an SMB can quickly lose at least partial control of their own systems. Maybe enterprises have the resources to respond effectively to this sort of chaos. SMBs are less likely to be there. (Trusted? Compulsory?) Vendors are in the system. Everything from embroidery machines to ultrasound machines are on the premises.

    Who, ultimately, is managing all this proprietary stuff? Anybody? Is there any sort of shared security concerns here between vendors and SMBs, or is everybody just hoping for the best?

    Ugh.
    f1assistance likes this.

  8. #8
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    Yesteryear BYOD a convoluted risk, today it a serious and real unstoppable threat. We continue to voluntarily and intentionally allow this unmanaged menace into our environment and get exactly what we deserve. DOOM! Yes, we really are stupid enough to be responsible for our own demise because convenience trumps all...let's play dumb and cake for everyone!
    Wake up, Neo...
    The Smart Grid has you...

    "Your Phone Is Listening and it's Not Paranoia"
    https://www.vice.com/en_au/article/w...s-not-paranoia
    Last edited by f1assistance; 06-07-2018 at 03:44 AM.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  9. #9
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    Quote Originally Posted by Sam Graf View Post
    Maybe I'm making this harder than it needs to be. Consider the following real world SMB examples:

    Want to do on-line banking with _______ Bank? For everyone's protection, you must install and use ________ Bank's proprietary security software.

    Want to use ________'s remotely managed keyless entry system (for SMBs with more than one location)? You must install and use _________'s management software and _________'s hardware which must be allowed to communicate with each other over publicly open ports.

    Or these examples from the SMB medical world:

    Want to submit urine samples to ________ for lab analysis? You must use ________'s application software which must be remotely installed by _________.

    Need to operate an affordable (i.e., PC-based) ultrasound machine? You cannot update/patch the installed version of Windows XP because that will break the ultrasound application, but rest assured because Windows Firewall is factory configured.

    My point with all this is to illustrate how an SMB can quickly lose at least partial control of their own systems. Maybe enterprises have the resources to respond effectively to this sort of chaos. SMBs are less likely to be there. (Trusted? Compulsory?) Vendors are in the system. Everything from embroidery machines to ultrasound machines are on the premises.

    Who, ultimately, is managing all this proprietary stuff? Anybody? Is there any sort of shared security concerns here between vendors and SMBs, or is everybody just hoping for the best?

    Ugh.
    Everyone is eating cake and hoping for the best! Everyone witnesses daily the worst consequence of our digital world unfolding right before their eyes, but continues eating cake...
    You have clearly identified multiple risks and exposed serious potential threats!
    As sentinels, we can sound the alarm and explain the potential for harm (it's not a matter of if, but when). And as you have rightly shown, the enemy is already within the gate(s) of our "supposedly" protected domain, out of our control (because we allowed it). At the end of the day, the business owner decides if they will be serious about compliance, and weather or not they'll "really" protect information they have and collect.
    We constantly allow 3rd party actors and devices the keys to our most valuable digital assets trusting they'll do what's right, and/or not do wrong.
    One of the reasons I'm an advocate of Untangle and the service provided, is it allows some pre-post action to guard against the 2nd biggest threat we face (the interweb).
    The #1 threat is still the user, and their ability to display zero common sense in an arranged environment built to lose, is astounding but predictable. Administrative or root access for users problematic, and non-plain-text email openly welcomes bad actors which we've known for years and years...yet! There is much we can do to to get serious about security, but won't!
    Most of us know the solution, but are unwilling to make the hard choice, we continue to allow reckless behaviour because we simply want to eat cake. We love cake! Everyone loves cake! There is a reason drug dealers don't consume the product they sell...Alphabet, Facebook, etc. function the same. They are not your friend!
    You don't want to suggest like me, we not have our cake and eat it too?
    Addiction to "cake" is what's really at issue and like our faith in big pharmacy, we're hoping for a magic pill to diminish the consequence of our continued negative choices, which we all know isn't coming...but yet we hope. Even knowing hope is not a strategy, we hope! We just need more hope!
    Look around, everyone is hoping and stuffing pie in their cake hole...or is it stuffing cake in their pie hole and hoping? Hmm...
    Now, the wizards of smart are suggesting everyone move to the "cloud" and rely completely on a 3rd party to do what we won't. Hmm...
    I see DOOM approaching and the ignorant dangerous attitude of "harmless data" pervades...no one can show where exactly the line between harmless and dangerous is...
    Our domain should be all about the boring serotonin and happiness as a long term solution, and devoid of most of the dopamine and pleasure hits brought by the cake everyone else loves so much. A real fun sucker I'm told! We all know how this story ends...
    Cake for everyone, it's on me! :-J I'll pass...
    Last edited by f1assistance; 06-08-2018 at 03:25 AM.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  10. #10
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    689

    Default

    And speaking of eating pie...get your dopamine hits where you can! They know exactly what they're doing, we don't...

    "Ordering Food via Touchscreen Is so Fun You Spend More Money When You Do It"
    https://futurism.com/self-serve-kiosks-mcdonalds/
    Last edited by f1assistance; 06-08-2018 at 04:45 AM.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2