Re: de-peering for security sake

[Christopher Morrow <morrowc.lists () gmail com>]

On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale <eyeronic.design () gmail com> wrote:
> "done right the cost shouldn't be super much more."
> I disagree.  Done wrong, it's not super much more.
>
> Done right, it's massively more.

please cite useful numbers... It's not (I think) really all that much
more. Sure it's a new expense (not really, since ... you've always had
security costs) but it's not 'massive'.

> Like Randy said, compare salaries alone.  A good security employee
> will run you, what, 100k or more in the major job markets?  And how
> many do you need, full time, to provide acceptable coverage for your
> environment?

ideally you need 2-3 people (for a larger operation, less for small
shops) with a bunch of automation to help things run along. Ideally
your 2-3 experts aren't responding to the pager, almost all of that is
offloaded to your noc/etc staff in a manner that they can actually
deal with problems NOT as pager-spam which gets turned off. 'high
quality alerts' with actionable playbooks.

it'd be great if more of this was COTS-able for the smaller shops... I
bet a bunch of it IS, though the parts aren't quite in place today :(
which is sad.

> The costs add up really fast without a corresponding return.

the return is not having to fend off the WSJ reporters of the world,
and consequent lawsuits from your customers, subscribers, partners,
etc...

-chris

> On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
> <morrowc.lists () gmail com> wrote:
> > On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.design () gmail com> wrote:
> > > "really isn't a whole lot different from 'lock your damned doors and
> > > windows' brick/mortar security."
> > >
> > > Except it's *massively* more expensive.
> >
> > is it? how much does a datacenter pay for people + locks + card-key +
> > pin-pad + ...
> >
> > vs
> >
> >  the requisite bits for security their customer portal/backoffice/etc ?
> >
> > done right the cost shouldn't be super much more.
> >
> > -chris
> >
> > > On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
> > > <morrowc.lists () gmail com> wrote:
> > > > On Sun, Dec 27, 2015 at 1:59 PM,  <Valdis.Kletnieks () vt edu> wrote:
> > > > > On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
> > > > >
> > > > > > SSH password + key file is accepted as two factor by PCI DSS auditors, so
> > > > > > yes it is in fact two factor.
> > > > >
> > > > > They also accept NAT as "security".  If anything, PCI DSS is yet another example
> > > > > of a money grab masquerading as security theater (not even real security).
> > > >
> > > > is it that? or is it that once you click the checkboxes on /pci audit/
> > > > 'no one' ever does the daily due-diligence required to keep their
> > > > security processes updated/running/current/etc ?
> > > >
> > > > I'm not a fan of the compliance regimes, but their goal (in a utopian
> > > > world where corporations are not people and such) is the equivalent of
> > > > the little posterboard person 42" tall before the roller-coaster
> > > > rides, right?
> > > >
> > > > "You really, REALLY should have at least these protections/systems/etc
> > > > in place before you attempt to process credit-card transactions..."
> > > >
> > > > In the utopian world this list would be sane, useful and would include
> > > > daily/etc processes to monitor the security controls for issues... I
> > > > don't think there's a process bit in PCI about: "And joey the firewall
> > > > admin looks at his logs daily/hourly/everly for evidence of
> > > > compromise" (and yes, ideally there's some adaptive/learning/AI-like
> > > > system that does the 'joey the firewall admin' step... but let's walk
> > > > before running, eh?)
> > > >
> > > > so, it's not really a mystery why failures like this happen.
> > > >
> > > > > I remember seeing a story a while ago that stated that of companies hit
> > > > > by a data breach on a system that was inside their PCI scope, something
> > > > > insane like 98% or 99% were in 100% full PCI compliance at the time of
> > > > > the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
> > > > > are missing a lot of really crucial things for real security.  (And let's
> > > > > not forget the competence level of the average PCI auditor, as the ones
> > > > > I've encountered have all been very nice people, but more suited to checking
> > > > > boxes based on buzzwords than actual in-deopth security analysis).
> > > >
> > > > people toss pci/sox/etc auditors under the bus 'all the time', and i'm
> > > > guilty of this i'm sure as well, but really ... if you put systems on
> > > > the tubes and you don't take the same care you would for your
> > > > brick/mortar places ... you're gonna have a bad day. 'cyber security'
> > > > really isn't a whole lot different from 'lock your damned doors and
> > > > windows' brick/mortar security.
> > > >
> > > > > So excuse me for not taking "is accepted by PCI auditors" as grounds for
> > > > > a claim of strong actual security.
> > >
> > >
> > >
> > > --
> > > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0