[15457345234]

> everyone starts to take computer security seriously

Weren't the last big attacks literally carried out by hackers exploiting security software? As in, the solarwinds thing, which was carried out on systems which were 'textbook secure' ?

If you want a secure system, my advice would be to fall back to using dumb hardware terminals, VT100 style. Anything more complicated than that will have a backdoor.

[jart]

Reuters said, "[t]he problems began last week after hackers gained access to Change Healthcare's information technology systems [...]" so it was probably because some airhead gave their login to the hacker over the phone. Social engineering accounts for 98% of all cyber-attacks. Highly intelligent people who are only accustomed to employing software don't understand this, because the only thing they're afraid of is their software getting exploited.

[rolandog]

My money is on some un-upgraded backend/frontend stuff due to "compatibility" and/or lack of budget to hire people to keep things patched and up-to-date.

[15457345234]

Blah, when it comes to a target that large, hackers will insert a contractor into the role who can secure the relevant credentials.

This is another reason the remote-work scenario is such an issue - it's so trivial when large numbers of people are working remotely to gain access to secure systems.

[bradleyjg]

Why are we shipping software that’s hard on the outside and soft on the inside? We know our customers have employees that will be socially engineered. Heck, let’s not be smug, “we” have employees that will be too.

[TeMPOraL]

> software that’s hard on the outside and soft on the inside

So are tanks. And so are humans.

Security is opposite to usefulness. If you harden your system thoroughly to the limit of possibility, it becomes a rock. Systems are made to do something, so some parts need to actually do that thing.

[bradleyjg]

The software in question is currently doing nothing.

[mikewarot]

>using dumb hardware terminals, VT100 style

Those VT-100 terminals actually have Z80 CPUs in them, but even so, they connected to VAX or other computer systems, which are generally networked.

[faeriechangling]

I wouldn’t characterize solarwinds as “security software”, the product that got hit was classic up/down monitoring software.

[tempodox]

Fair enough, a no-bullshit discussion on how to actually achieve security should be part of the process.

[15457345234]

The issue is, actually having that discussion becomes very hard, because a lot of 'security consultants' basically rely on the commissions they get from selling that type of inherently-creating-a-single-point-of-compromise managementware.

So all of the 'experts' you might draft in to give you helpful advice will be telling you exactly the opposite of what you should be doing, which is reducing your attack surface as much as possible; cutting down, not increasing, the number of apps installed.

And don't get me started on MDMs, which are basically a rootkit that's only as benign as the guy sitting behind the operator panel.