CISOs' newest fear? Criminals with a big data strategy We again gathered an eclectic mix of IT execs including some CISOs, CTOs etc, in a secret bunker to discuss whether we’re winning the security battle. OK, the “bunker” was a meeting room under the Soho Hotel, but not only are we not winning, it is not even clear what winning actually means. On Target Our IT execs happily …
"Even the idea that any decent sized firm has a plausible list of all the systems they rely upon was met with a mixture of laughter and scorn."
Bullshit. This just means that you aren't employing the right people, or if you are, they are overworked. Any network administrator worth their salt can tell you every device on the network, when they're used, where they connect, and what's running there. For example, if your developers start running production code in their lab, your network administrators should know about it, ...AND... have the power to get it relocated to a proper system and location.
Wow.... I've never met a business as scale which could give a complete list of systems it relies upon, a network device centered view is vastly more narrow than what you need to consider.
What about developers that reuse a single database server for multiple instances? (that ought to go through change control but might not) What about if they reuse a single database for multiple apps segregated by a table naming convention...
Lets assume you get one top of the "server" type systems - what about the "applications" built in Excel, or Access (you are kidding yourself if you think you don't have any in your business - almost certainly within the Finance team).
What about the cloud solutions which business teams have a tendency to buy via expenses (or use the free versions to avoid that control) - what about the cloud solutions provided by business partners?
none of the above is theoretical I've seen all of those as real world examples - people just want to get their job done and if they think that the central IT options don't fit or are too slow they will go and find their own workaround.
Ever hear of ShadowIT? Do your systems notify you when someone runs an unauthorized program or uses a "cloud" service out of band? [Out of working hours? On unauthorized device? Unauthorized person/application despite blacklist, white list, or Hell toss in greylist?] If it does, you are totally awesome! We should worship the earth you have trod upon,
Back in the real world, unless you monitor your email and/or logs in real-time, you'll pick up on this provided it's a monitored system. Eventually. Maybe? Eek! Yes, I do have this information, in real-time, pretty much anywhere I have a connection to "back home." But I haven't had a real life in forty years: My work is my life. Control freak much? Yep. And no, I don't jump on the user with combat boots when some user has done something "wrong." I've always figured that I'm here to support the business whatever form it comes in.
Dominic, Hi,
Thanks for that most probably highly accurate presentation of the current global vulnerability state of play in the fields of interest to those and/or that of a certain peculiarly defensive and particularly offensive ilk, whether registered and flying in the colours of public and/or private and/or pirate practice or not.
Outside the world of critical national infrastructure, sharing of experiences and data is still too ad-hoc for many reasons, none of them good. The execs shared that their contracts of employment explicitly forbade them from sharing security or other important proprietary information.
Methinks though, and it is no small matter and therefore well worth sharing, it is wiser to realise that even inside the world of critical national infrastructure, sharing of experiences and data is still too ad-hoc for many reasons, none of them good. And one imagines especially there, in the virtual realities that driver and deliver the myriad madnesses of mayhem for collapsing orders into chaos with CHAOS, that execs would share that their contracts of employment explicitly forbade them from sharing security or other important proprietary information.
Clouds Hosting Advanced Operating Systems are where IT is at in the Dynamic Vector and AI Sectors with Global Operating Devices.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
