| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by zobzu 4148 days ago

The security products arent great, true, but the ppl working as security engineers in companies are often quite decent.

It seems to me that its the usual issue. People don't see the need for protection until they've been hit. It seems to be a cost that doesn't make sense to them. They don't even care anymore.

Then they get hit hard. But it can take years.

2 comments

tw04 4148 days ago

I've actually had the exact opposite experience. Security Engineers at most companies have no idea what they're doing beyond running the scanner and parroting whatever it spits out.

"The scanner says your server is vulnerable"

"Ya, we patched that vulnerability weeks ago"

"The scanner says it's vulnerable"

"OK.... looks at scanner - oh, it's just reading the banner, and not taking into account that the major rev didn't change, it's patched"

"The scanner says it's vulnerable"

"OK... so what if I change the banner so it doesn't pick it up as vulnerable?"

"The scanner says it's secure now, thanks!!"

The guys who know their stuff in security generally have a desire to actually get paid well, and have time to do legitimate research. They don't really have a desire to sit in a corporate job dealing with the mountains of bureaucratic bullshit that goes along with security in a corporation. Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?

link

xamuel 4148 days ago

>Do you really want to be the guy who gets thrown under the bus because you had to disable strong passwords because the CEO was angry he needed both upper and lower case letters in his AD password?

Except those strong password policies don't strengthen security at all, neither in theory nor practice. Congratulations, the CEO's password is now "qweRTY" and it's written on a yellow sticky-note on his monitor.

link

tw04 4147 days ago

A post-it note on his monitor of a secure password (they generally require a number or special character, as well as being 8 characters long), is actually better security than an extremely simple password. I can have him lock his office door... I can't prevent someone from brute forcing the password he's re-used on every site on the internet.

I literally tell my parents to have a secure password they write on a post-it note. The odds of someone breaking into their house for their password is about 1/10000th the odds of someone cracking their simple password on a website and getting the keys to the kingdom.

link

kowsik 4148 days ago

True that about the security engineers, but they are at the mercy of products that claim to distinguish good from bad and this has never worked, IMHO. How the hell can you write signatures against malware/documents/web-sites/files/attacks/blah when there's so much diversity and quantity of stuff to keep up with?

Disclaimer: I built the first IPS to be commercialized and yes we used signatures amongst other things.

link