Posted by Andrew DeFaria on 09/05/05 09:51

Jerry Stuckle wrote:

> Andrew DeFaria wrote:
>
>>> Small and medium sized businesses and U.S. Government, mainly.
>>
>> Name names. I cannot tell if I've worked on any of your customer's
>> system without such info!
>
> I'm sorry - I don't give out my customer's names - especially in a
> public forum!

Then I cannot answer your question.

>>> But weak passwords are often how these things are hacked.
>>
>> That may be, however that was not what was being discussed here.
>
> We were talking SECURITY - and passwords are part of it.

No we were talking about needless replication of data in the name of a
false sense of security...

>>> No, but we ARE talking about protecting data.
>>
>> So what? We are talking about protecting data even without any stated
>> requirement that the data needs protection. That's putting the cart
>> before the horse.
>
> And a LOT of companies don't realize their data needs protection -
> because they don't understand the risks and consequences.

And a lot of companies don't need the security you are pushing.

> As a consultant, part of my job is to identify possible risks and
> inform my customers of them.

Yes, but I remain unconvinced that such a need exists still. And you
can't tell if it's necessary either. Neither of us have the specs,
requirements, etc.

>> As it turns out the system involved is not facing the "outside world"
>> anyway. IOW security requirements are not as broad as you incorrectly
>> assumed.
>
> If the database is being directly accessed by the web site, it is
> facing the outside world. Anyone hacking the web site can really
> screw up the database.

No you are wrong. The data is not facing the outside world - it's in the
intranet and not accessible by the outside world. It is accessible to
the inside world as it were. (Later you admit that you have knowledge
that this is an intranet only situation. Why then do you say "If the
database is being directly access by the web site, it is facing the
outside world" when it clearly is not - at least not in most people's
common usage of "inside world" = intranet and "outside world" =
internet? Are you just trying to be argumentative?)

> And I did not "assume" anything. I pointed out a potential risk and
> how to prevent it.

You assumed there was a need for security did you not?

> It is up to the consultant and the company to determine if the risk is
> valid and my solution is necessary.

You're selling FUD, plain and simple. Most security people do - that's
their thing.

> But you incorrectly assumed the security requirements are not at all
> necessary.

I stated my opinion, that it was overkill, especially given the lack of
a security requirement at all.

>> Yes and I still believe it is unnecessary especially lacking a stated
>> requirement.
>
> Not understanding the customer's situation, you really have no idea.

Nor do you. In general, however, if you are exposing parts of your
database to update from a web interface and wish to have other parts
remain secure then most DBMS' provide various forms and ways to
accomplish such security. It is reasonable to assume that the whole damn
database is not open wide to anybody who gets in, therefore the idea of
having to replicate just parts of the database so as to keep the other
parts "safe" seems ludicrous to me because it assume that there is
absolutely no security implemented in the database to start with.

>>> It adds very little complexity to the system.
>>
>> I disagree. It adds complexity to the system. If, or rather when, the
>> synchronization breaks down and needs attending too it adds to the
>> workload.
>
> Have you ever done it? I have many times. I've done it on DB2, SQL
> Server and Oracle.
>
> If synchronization breaks down, that's a major problem with the
> database. But it's a lot LESS of a problem than if the database gets
> hacked!

As I said, and you seem to agree, it adds complexity and yet another
point of failure. What we are really arguing is is such added complexity
worth it? It may be, if the data is highly confidential and requires
extra security measures. Your assumption is that it does. What you base
that assumption on is questionable to me as you have not seen the specs.
My assumption is that it does not. What I base my assumption on is the
lack of any clear statement of required security. Hey it may very well
require such security precautions or even more. But so far that still
has not been specified.

>>> But a large step in security.
>>
>> I would beg to differ that it's a large step in security at all, but
>> nonetheless a step in security that was not asked for.
>
> Right.

So it should not be implemented unless requested (or unless you really
know the data and feel the company is risking things perhaps not knowing
the risks involved but again we don't know that).

>>> Sure it is. For instance - the FCC has my SSN in its database.
>>
>> So does Albertsons or any of a host of other business much less
>> "secure" than your blessed FCC. A false sense of security is what one
>> gets when they secure one place and fail to recognize that there are
>> thousands of other places that would be thieves would probably use to
>> get such info.
>
> I'm familiar with Albertsons as a company. While I don't know about
> their IT department in detail, if they are anywhere near as competent
> as the rest of the company, their critical data is not live on the web.

Expand that to a myriad of other companies that have the same info. Do
you really believe that your SS# is secure at every company that has
that info?

>> If your SS # is replicated to the external database then it would be
>> as exposed to capture as if the database was not replicated. Besides,
>> and real world, your SS# is probably available from many other
>> sources anyway.
>
> But my SSN is NOT replicated to the external database.

Did you miss that first word were I said "If"?

> Part of security is to replicate ONLY THE REQUIRED DATA.

Thus making such data less useful. Then again it's hard to say that
because again (I know I sound like a broken record) neither you nor I
have any inkling of the requirements and needs of this web application.
Maybe the SS# is required. Maybe even it needs to be available for
update. We just don't know the specifics. We could continue to speculate
if you like but I really don't see the point.

>>> Remember - YOU brought up the subject of government systems. I just
>>> gave you a real-life example of YOUR subject.
>>
>> And I fail to see how it's relevant at all. We have no clear security
>> requirements stated yet you put forth recommendations on based on
>> FUD. We have no indication of what the data is nor whether it
>> contains personal or confidential data nor an estimation of it's
>> value. We didn't even have any indication of whether or not the data
>> was available to the masses or confined to an already secured lab
>> (turns out it's Intranet only).
>
> Of course you don't. You don't understand security basics.

Yeah, right. But I sure know overkill when I see it. Of course our
government is the model of efficiency, modern data processing and
sharing of information, that's for sure! Hell just take the USCIS for
example. Last I checked it they still haven't updated their PDF files
with the correct pricing information. It's only been about 2 years now
but then again that's way faster than most normal businesses!

Yeah I understand security. Security only really keeps honest people
honest. The dishonest people hardly slow down at all with security. It
just causes more frustration for honest, regular users and makes it so
that it's actually quicker to do things without computer systems! Yeah
but we have to throw up these security barriers, even when unasked for
and unneeded, otherwise we'd process too many things at once and lord
knows different branches of the government that are supposed to talk to
one another will actually talk to one another and then the terrorists
will have a tough time and we wouldn't want that happening!

Give me a break!

>>> That is the situation.
>>
>> Really? But you are not the OP. How do you know that the FCC security
>> requirements are the same as that which is needed for the OP's
>> situation? Do you work with the OP? Or are you just spreading more
>> misinformation?
>
> Because I know the person who designed this part of the web site, and
> we have discussed its implementation in detail.

Then you are working with details that I am not. Now you could have
simply stated up front that you knew this and that such security was
required for this project, but no you figured you'd argue a little
first. I see...

>>> In case you're wondering - I do live in the D.C. area - and do a
>>> fair amount of government work.
>>
>> Good for you. That's wonderful (and wonderfully irrelevant).
>
> It is relevant when you're questioning whether I understand Federal
> government systems.

Not really but you can continue to think so if you want. Federal
government systems don't all emanate from DC ya know.

>> Ah so then you have insight into the security requirements for this
>> project? Or are you still just guessing? Because geeze you didn't
>> even appear to know that it was Intranet only...
>
> This project was intranet only. However, > 85% of security breaches
> occur from INSIDE the company.
>
>>> It really looks like you have no idea of what security is.
>>
>> Yes I do know what security is. I was just questioning whether or not
>> such security was needed in this specific case. I saw nothing to
>> indicate that it was required and lacking that the steps proposed to
>> get additional security seemed like overkill to me. Why do you have
>> sort a hard time grasping that simple concept?
>
> So far I haven't seen any indication that you can do anything more
> than spell security. But your spell checker probably help there, also.

Look ma, no spell checker, security (and I didn't even just copy your
spelling either! :-P

>>> So - please don't work on any of my customers systems.
>>
>> Thanks for asking nicely however I will work for whatever people wish
>> to employ me provided they pay well, your polite request
>> notwithstanding.
>>
>> And nay I will implement as much security as required for the system
>> under task, but I do so from clear specifications that such security
>> is required. IOW I don't build a fortress when what was asked for is
>> a tool shed (this is one way to get $500 toilet seats!). Similarly,
>> however, if I notice that the tool shed would be carrying toxic stuff
>> and there was a real threat that it required stronger walls or a lock
>> I surely will suggest such things.
>>
>> I do not, however, attempt to scare people into implementing
>> additional security where it is unwarranted simply to extend my
>> contract..
>
> I explain the risks and consequences of poor security. I do it in a
> way they can understand. That's one of the reasons they pay me.
> Another is because I can implement multi-tiered security solutions.
>
> Of course, they also hire me to help with run of the mill web page work.

Good for you. I hope you don't resort to the same argument tactics you
do here with them.

>>> And let me know which ones you do work on - I don't want ANY of my
>>> personal data on them!
>>
>> I'm everywhere! It's too late! ;-)
>
> Names, please! I can sell those names to hackers and make a fortune!

Just as soon as you reveal yours! ;-)

However, if I say "I'm everywhere" then you can just assume it's
"everybody".

Have a nice day! Now go away because I really have no time for somebody
who withholds information like they have seen the specifications just to
argue with somebody else. You could have been up front and clear but
instead you decided just to be argumentative and quite frankly I do not
wish to argue with such deceptive people.

[Back to original message]