Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Security History Poll Results - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security History Poll Results

Reactive or Pro-Active Security Planning?


Looks like that with few exceptions, the most correct answer for my last question about when you started to think seriously about security is: Reactive!

Why? The answer is that most of people/companies started to think about security after a bad security experience. From gvmt to .edus and private companies...almost the same, which I thought was kind of funny...:)

Another point that should be noticed is that some companies started to think about a security team/specialist only for marketing and not for real security jobs, which was kind of sad...:(

If I could chose an average year, I would say 2001/2002, according most of the answers, and there is a reason for that, if you remember well, that was the year of most new generation worms (remember Code Red ?)

What follows below is a list of some testimonials that I think that is very informative...:)

Thanks for all the answers!

----------------------------------------------------------------------------------------------------------

 

Various steps:
1995 - preparation for y2k and acquisition of new enterprise accounting and payroll systems
Summer of '98 - connected to the Internet
2002 - preparation for HIPAA Privacy Rule and Security Rule

It's a company that refuses to think that threats can originate from inside the firewall (users). IT
computers are out in the open with the "normal" users computers. We have a long way to go before we are "secure".

To answer your question more directly, its been maybe the past year and a bit that we had started to think about security in a serious way.

I work for a County government, and except for what I do because I feel SECURITY is a BIG issue, we do nothing.
I have a firewall(linux box with iptables) in place and try to institute what I feel will do the
best for the County, but I have NO budget.

In 1994-1997 I worked as an employee at Company X.  Like Company Y this was an  organization that could incorporate security deeply into the ways things  were done (in many divisions)  There were some places where
security was lax and some where (in a post Mitnick world) very tight.

I would trace our thinking seriously about security to November 5, 2002, the day that we changed our primary firewall from a default-allow to a default-deny configuration.  Shortly thereafter, we started managing patch status on our 5000 (no 9000+) Microsoft workstations using SMS.

* In November 2002, I got a DSL line.  After I configured up ipchains on the box that would be my firewall/file server/domain controller/etc., I went to Steve Gibson's site to test my configuration.  It said I had everything open.  Well, I didn't believe it, and I just left it.  It wasn't two days before my box was hacked through a telnetd vulnerability.  So that got me thinking seriously about security at home.

* In March of 2003, the place I worked had someone (in the same office where I worked) that was bypassing security measures by running programs like MyIE2 and trying to hack our boxes.  It came to a head in September when he took down one of our machines.  I became the computer tech for the department in October and started locking down our machines as tightly as possible.  We haven't had an incident since.  This is also what got me interested in computer forensics.  I received training in the field and am pursuing volunteering for my local police department to get some experience in the field.

Well my company has been thinking (and doing) seriously about security since 2001, so 5 years.  I have been since 2000.

It was in April of 1999 when we got hit with the Melissa worm and we realized that user education was lacking, and even where sufficient, the antivirus software could only be trusted so far... so we had to invest time in locking down workstations and generally paying attention to internal security.

Server security happened first, following the need for external security in 1996 when we put up a website (a year after getting a domain name registered so that we had email).  This is because we were hard on the outside from the outset; even though we're a Windows shop, we never had issues with hanging Windows boxes on the Internet and having issues with CodeRed, Nimda or Windows Message spim.

When we first went from paper to a computer, back about 1989 or so, the 'server' had access through 'terminals'.  Security at this time meant, as perhaps some of your readers will remember, limiting access to the system through a variety of ways, running a specific 'shell' .profile and .login to prevent access to the command line, limiting rwx rights, and limiting 'server' functions according to needs.

By this time, several free standing personal computers were beginning to show up in the workplace, data on 5 floppies was making rounds.  Our server data was backed up daily and stored off site.  The server security was pretty good, no access other than dumb terminals inside the complex.  It was about this time we discovered the term 'virus' and a program called f-prot.  A small outbreak of a boot virus actually started the business of limiting access to data which had been 'screened' before loading on our internal machines.

Time went on, we started a WIN3.1 network and did away with many of the terminals.  The internet started in earnest about this time, and dial up and dial in on dedicated lines was established to reach the internal network from remote locations.  That's were the 'profession' of security probably really started.  Security issues, sure, but that's it, 'issues' handled by a few individuals with some sage advice and implementing innovative techniques. 

I started thinking about security in a serious way about 8 years ago, when my company began installing web servers in data centers. I knew publicly accessible servers could be trouble. It occurred to me then that securing the public servers was not enough, and that all of our systems had to be secured lest we become a vector for our own demise.
Since then we've been trying to keep up with vulnerabilities and exploits.

So far we have only been affected once, by the original Code Red worm. Our security budget is now our second highest IT expenditure, just behind hardware. I always chuckle when I hear media reports of this year being the
year of infosec. To me, every year is the year of infosec.

This is an easy one -- never. My employer at $DAY_JOB had to be dragged kicking and screaming into at least SOME form of security policy. I was continually being second-guessed by silly buggers from "executive row", for example, about why we required a VPN to access the internal mailserver when their friend, sibling, Mom, or dog didn't have to at THEIR company. (sigh)

It's usually only some form of object lesson (usually painful) that convinces executives to pay attention to security. Education doesn't seem to help -- too many of them think that since they were able to set up a WiFi router at their house they're qualified to make decisions about IT Infrastructure. (sigh)

Until Sasser, even computers at the help desk had public IPs and every folders and printers were shared with the rest of the world...
We were told by our administrators and our senior technicians to say to our clients to remove the Windows XP firewall because it can blocked several softwares using Internet.
This thing changed with the arrival of Blaster (Maybe the half of our clients - dialup and broadband - were infected) and then, I began to analyse my firewall logs and to read your daily news on ISC.SANS.ORG .
I had to put pressure on our administrators to block or to restrict NetBIOS and SMB ports but they denied my requests... maybe because they weren't able to create ACL on Cisco equipments...
The arrival of Sasser finally forced them to go in my way... because our own Internet provider told to the admins how to block incoming and outgoing NetBIOS and SMB traffic.

I began to think/learn about security five years ago and it all started with a security incident of course: we had our broadband link shut down because of a misconfigured proxy (mind you).Here at this company there's been some talk about a written policy of use and to train personnel on security (me for the case), but nothing serious yet. As long as nobody get her documents lost everyone is confident everything is ok.

I've been taking it seriously since I got my internet connection and learned about all the rubbish that's out there.I've burried myself in book on security since then.
From firewalls to vpn's to all the spy,virus,adware scanners we need these days.
I'm currently working for a large Telecom multinational in a network control centre.
They take network security extremely serious.
I was amazed by the tightness of their internal network.

Two years ago we ran exclusively windows software (mainly XP) on all the units
and I found (in spite of having firewall/anti-virus/spy-sweeper software
installed) that I was spending about 2 hours of every day, 7 days a week,
doing nothing but checking, scanning and updating, and of course worrying !
One year ago we migrated to running OpenOffice, FireFox and Thunderbird on the
windows box's in an effort to mitigate some of the risks that were apparently
inherent in the windows software.
We made the decision in November of 2005 to migrate ALL of our systems onto
linux using XXXXX for the in house server and FC4 for all the workstations.
The change went without (too many) headaches and, from 1st January 2006, we
are now 100% linux/open source  - the result is that the time I need to spend
on the security/upgrades has dropped from nearly 2 full working days a week
to about 4 hours a week - a considerable saving and relational increase in
productivity - not to mention the savings in software costs associated with
this route. Incidentally, the overall stability of the new systems and the
speed that it runs at would make the change worth while even if one didn't
take the security aspects into account !!!
I was gratified to read one of your handlers articles detailing what security
measures he had put into place on his business systems and realise that I was
running an identical security infrastructure on our new linux network.

In 2000, my company, a large healthcare system in XXXXX, hired their first security specialist - someone devoted entirely to security.  That was only 5 years ago.  He left because the company didn't take security seriously, even though they had hired him under the pretense of being "security conscious".  They thought just having someone on staff labeled, "Security Specialist" was enough.  I took his position a little over a year ago and now I've found a new job in Information Security because I had the same frustrations as the previous security specialist.  It seems the company wants to be compliant (especially to HIPAA), but doesn't want to do what it needs to do to get there.

The company that I'm at now didn't start thinking about security until late 2004, which is when they hired me, and
it wasn't until the middle of last year that real security initiatives started happening.  This is contrast to the trading firm where I started my security career in 1996.  They already had a full security plan in place.  The insurance firm that I went to work for after that implemented a full security architecture around 2000.

XXX.edu has been thinking about security in a comprehensive and org.-wide way since approximately 1992.  Our current security plan was written in 1996, and has stood the test of time very well since.  The revisions of it in progress are mostly to translate it into the language that funding agencies say they'll begin expecting for initial security plans in 2007.

Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!