Whats the point in securing anything?

_Tombstone_

Everything and everyone is getting hacked. Pointless.

If it's connected to the Net you have to assume whoever wants to read it can so the only thing to do if you want to secure something is to keep it off the Net. The whole security industry seems pointless. Unless it's a dude with a gun doing the securing.

uck51js9zml2yt

I'll send you my details so you can give me your bank account login so!

liamo

You could make the point that burglaries are on the increase and there's no point in owning a house as it will just get burgled. The security industry is pointless as you can't actually stop burglaries, you can only make it more difficult. And the best security for a house is a gun-toting resident.

I've been burgled a few times over the years and I've learned from each one. I'm now less likely to be burgled and, additionally, I'm better able to deal with the consequences of such an event.

That can be applied to the infosec industry as well. You must assume that a skilled, motivated and resourced attacker is going to breach your defenses and you must make plans accordingly.

Your strategy will be influenced by your own risk profile. What are you trying to protect? Are you high profile? What are the consequences of a breach? How will you react? Will you even know? What can you do?

We're (my employer) moving towards a position of "assumption of breach". That is, although we will take reasonable precautions to prevent a breach, we are assuming that, eventually, we will experience a breach and must plan accordingly.

I'm afraid that this is simply the nature of the industry we're in and this is what we've got

You could perhaps take encouragement from constantly building, measuring and improving your systems. You can't absolutely guarantee the security of your site(s) but you can do your best to reduce the likelihood of a breach and be ready to deal with the fallout of a breach, should it occur. I don't think anyone can do more than that.

_Tombstone_ wrote: »

Everything and everyone is getting hacked. Pointless.

If it's connected to the Net you have to assume whoever wants to read it can so the only thing to do if you want to secure something is to keep it off the Net. The whole security industry seems pointless. Unless it's a dude with a gun doing the securing.

seamus

It's a risk -v- reward payoff.

If the risks of having a dataset connected to the internet outweigh the rewards of it being there, then you have to ask yourself why it's connected.

In virtually all cases, the value of the data if it were to be compromised is far below the value served by having the data on a web-accessible computer.

To use the burglary analogy above again - it's a bit like saying that the alarm industry is pointless - so long as windows and doors exist, someone can break into your house.

But a house without windows and doors has no value. The same things which make the house insecure are the things which make it valuable. Such as it is for data - disconnected from the Internet, it has no value.

syklops

Two men are walking in the jungle when suddenly a cheetah jumps down from where it was lying on a tree branch and starts to circle the men, hungrily. One of the men, throws off his rucksack, and starts pulling on a pair of Nike Air max running shows. He's friend says to him:

"Larry, there is no way you can outrun a cheetah. No matter what fancy footwear you have".

The man looks up as he finishes lacing the second shoe and says "I don't need to outrun the cheetah. I just need to outrun you.

Everything and everyone is getting hacked. Pointless.

I run a number of systems online and I've never been hacked. Why not? Well I use decent precautions. Remote access is done over SSH which has no known vulnerabilities. My passwords are long and I review logs regularly.

I've done Pen tests for corporate and government organisations who didn't employ a third of the security that I use for the few machines I manage.

As soon as you employ a few basic security measures, you become much less attractive to would be hackers, who instead go after the low hanging fruit.

AnCatDubh

_Tombstone_ wrote: »

whoever wants to read it can

I think it was Bruce Schneier who recently noted that anyone with enough motive, skills, and money will most certainly get past your information security defence. 'enough' is determined by the 'prize' or benefit that someone would get from penetrating a systems defences. That makes for an interesting equation when you think about it.

In terms of Information Security, the trick I guess is to invest sufficiently such that a counter investment of motive, skills, and money makes the 'prize' unattractive or unworthy of infiltration. Assess what is the 'prize' at the end of it for a would be hacker's unauthorised access, and invest accordingly. I think this is what many organisations don't 'get'.

I think there isn't anything impenetrable, rather there are levels or layers of difficulty that you may apply depending on what your 'prize' is to prevent your 'prize' from being accessed without authorisation.

Vallorrous

_Tombstone_ wrote: »

Everything and everyone is getting hacked. Pointless.

If it's connected to the Net you have to assume whoever wants to read it can so the only thing to do if you want to secure something is to keep it off the Net. The whole security industry seems pointless. Unless it's a dude with a gun doing the securing.

If you believe that what are you doing in the Information Security forum?

Seriously though it is possible at the very least to protect yourself from passive monitoring of your web traffic.

If you want to play a silly game where you say but what if your adversary has X, you can keep talking 'til the cows come home, as you can just say you have Y.

-- OMG What if the NSA has some huge-super duper Quantum computer and is decrypting all your web traffic?
-- Yeah well that's not currently feasible even with a quantum computer as I connect via a VPN secured by AES 256 encryption.
-- Yeah but what if they subpoena your VPN provider?
-- I'm paying oodles of Bitcoins to a VPN provider based in Iran.
-- Yeah but what if they send in the SEALs to raid the VPN bunker and get all your traffic?
-- That's not very likely but it wouldn't do much good, I paid for the VPN with Bitcoin, that I bought with cash.
-- Yeah but maybe the Police were following you around and saw you buy some Bitcoins?
-- Well I doubt they'd know what it was for...
-- Yeah but maybe they also were in a van outside your house listening for your key presses as you logged into the VPN website and saw you pay?
-- I use an onscreen keyboard and 2FA.

etc. etc.

Vallorrous

AnCatDubh wrote: »

I think it was Bruce Schneier who recently noted that anyone with enough motive, skills, and money will most certainly get past your information security defence. 'enough' is determined by the 'prize' or benefit that someone would get from penetrating a systems defences. That makes for an interesting equation when you think about it.

In terms of Information Security, the trick I guess is to invest sufficiently such that a counter investment of motive, skills, and money makes the 'prize' unattractive or unworthy of infiltration. Assess what is the 'prize' at the end of it for a would be hacker's unauthorised access, and invest accordingly. I think this is what many organisations don't 'get'.

I think there isn't anything impenetrable, rather there are levels or layers of difficulty that you may apply depending on what your 'prize' is to prevent your 'prize' from being accessed without authorisation.

It's also quite possible to build a practical security system. The "How Secure is My Password" website tells me that it'll take over a gazillion or whatever years to crack my password.. I only actually need it to be good for another 50 or so!

It's important to bear in mind that most encrypted data has a time frame beyond which investing any further effort in breaking it would be useless, so saying that that your data is theoretically insecure doesn't really change anything.