05-10-2021, 08:34 PM | #23 |
Private First Class
1562
Rep 140
Posts |
My uneducated opinion in I.T. is that the really important stuff should never be connected to the internet. It isn't a matter of "if they hack us," but a matter or "when they hack us."
Why was an important oil pipeline connected/controlled by an internet connection? That is just plain stupid. |
Appreciate
2
CTinline-six6942.50 Murf99314096.50 |
05-10-2021, 08:43 PM | #24 | |
Banned
12849
Rep 2,983
Posts |
Quote:
|
|
Appreciate
2
CTinline-six6942.50 Murf99314096.50 |
05-10-2021, 08:56 PM | #26 |
Recovering Perfectionist
20846
Rep 1,013
Posts |
You couldn't go any worse than the clowns currently collecting pay checks in the IT field!
After 35 years, I seriously want to leave IT for the exciting world of pizza.....
__________________
Currently BMW-less.
|
Appreciate
2
Murf99314096.50 upstatedoc7534.50 |
05-10-2021, 09:01 PM | #27 |
Banned
12849
Rep 2,983
Posts |
|
05-10-2021, 09:08 PM | #29 |
Banned
12849
Rep 2,983
Posts |
|
Appreciate
0
|
05-10-2021, 09:15 PM | #30 |
Major
14097
Rep 1,336
Posts
Drives: Porsche 993
Join Date: Mar 2020
Location: Dog Lake, South Frontenac, Ontario Canada
|
No, he gets to lick the ice cream bowls though. However he's snoozing next to Lisa right now.
|
Appreciate
2
TiMSport12848.50 Littlebear3520.50 |
05-11-2021, 09:36 AM | #31 |
First Lieutenant
549
Rep 384
Posts |
I'm only 10 years in infosec and will be moving into goat farming once my kids are in school and my wife can start working again.
|
Appreciate
1
upstatedoc7534.50 |
05-11-2021, 09:48 AM | #32 | |
Space Force - 4 Star General
11499
Rep 3,265
Posts |
Quote:
Or even earlier than that when computers were a bit of a rarity so we had shared PCs. You'd roll up with your floppy disc full of your work and use the pC for a few hours to do whatever you needed to do. Assholes would leave a virus on the PC that would then infect your disc and propagate to the net PC you stuck it in. I lost a term paper in college that way when the computer lab got infected. But still, your point is a solid one. Critical infrastructure should be running on PCs that done have an Internet connection and are isolated from the general company network. |
|
05-11-2021, 10:39 AM | #33 |
Brigadier General
5519
Rep 3,325
Posts |
Air gapped systems are not 100% protected from vulnerabilities. There are other vectors which can introduce malicious code. Having worked in highly classified systems, those dangers are constantly being considered and systems designed to mitigate those risks.
Security is only as good as the mindset of the people that work with the systems and those in charge that dictate policy and funding. This is the foundation. Without this, you can throw the fanciest latest security tech at something and still have the same exposure without using it. |
Appreciate
3
|
05-11-2021, 10:53 AM | #34 | ||
Recovering Perfectionist
20846
Rep 1,013
Posts |
Quote:
Quote:
I'm not going to name the company, but there is a very large player in the K-12 school content-filtering market that I was asked to look at as a favor when a school near my office couldn't get it to work. Their black box was actually static-coded to ignore the subnet mask and default gateway being provided by DHCP, and assumed a /24 with .1 as the default route. Great assumptions for a cable modem in someone's house, but rendered the thing 100% useless on a segmented network with /26 subnets to isolate rooms. The company did not see any flaw in their logic, and defended their product because they were too clueless to fix it. As for jumping the air-gap in Iran, an infected USB thumb drive full of "naked women pictures" dropped outside the front door will surely result in a nuclear meltdown in a few hours.....
__________________
Currently BMW-less.
|
||
Appreciate
2
CTinline-six6942.50 jmack548.50 |
05-11-2021, 11:27 AM | #35 | ||
Hoonigan
6943
Rep 3,017
Posts
Drives: '09 328i, '98 Wrangler
Join Date: Dec 2016
Location: Connecticut
|
Quote:
The reason is to cut cost, maximize profit. Quote:
The truth is there should be a lot more security for critical systems like the pipeline and for our personal data, but placing priorities on profits and the way big tech operates doesn't allow for that. |
||
Appreciate
2
vreihen1620845.50 Littlebear3520.50 |
05-11-2021, 12:13 PM | #37 |
Brigadier General
5519
Rep 3,325
Posts |
And why I've been harping on having stated regulations which put in place financial penalties and in the case of gross negligence, jail time. None of these behaviors will change unless organizations and individuals get hit where they do care which is losing money or losing their time sitting in a cell.
The examples of the errant USB device being plugged into an air gapped computer is one example. But many people don't focus on other vectors such as the firmware that's installed in many of the subcomponents of devices. This brings up supply chain security. Many Federal agencies require TAA certified products. Some require BAA. But these come at an additional cost. Some OEMs go one step further to offer up secure supply chain services. Again at an additional cost. Then there's the software. The Solarwinds hack shows how things can go terribly wrong with a trusted software company. Even at the basics such as firmware updates. How many IT staffers spend the time to ensure the firmware is pristine by doing hash comparisons with the OEM's official hash? |
Appreciate
2
vreihen1620845.50 CTinline-six6942.50 |
05-11-2021, 12:21 PM | #38 | |
Colonel
3929
Rep 2,548
Posts |
Quote:
especially for smaller municipalities, most plants arent staffed 24/7. So in order to be able to monitor and operate plants, they need remote access which creates an entry point for these types of hacks. the other issue is reporting. the EPA has strict monitoring/sampling/reporting regulations, and some plants auto report these to the EPA, creating another entry point for these types of hacks. then you also have the water systems that have multiple plants, pump stations, pipelines, etc that all need to report to each other. In a small town, sure, you could hardwire them all together, but that is a significant cost that small towns cant afford. In a big city, its usually not economically feasible or practical to hardwire them all together either. probably the most secure plant ive ever been a part of was a wastewater plant for a microchip manufacturer. Everything was on a local network and was staffed 24/7. However, even in that situation, they are still vulnerable to outside attacks if someone is able to get on their local network. Especially since this plant still needed a way to communicate with other manufacturing plants throughout the company. And with all the contractors and 3rd party vendors that are constantly coming in and out of the facility, it wouldnt be hard to get in. All that being said, most water and wastewater plants have fail safe's in place and can be run locally if something like this happened. From hardwired alarms in MCCs and control panels with relays and switches that will shut down the equipment if one of the alarms is tripped, to local control stations that you can manually operate the equipment at locally inputted set points.
__________________
|
|
Appreciate
1
IllSic_Design2125.00 |
05-11-2021, 01:01 PM | #39 | |
Recovering Perfectionist
20846
Rep 1,013
Posts |
Quote:
I love how the third-world hosting companies frequently have pleas to only blacklist individual IP addresses and not entire networks in their IP whois records. If you don't know what your customers are doing and are shifting the policing to my employer, your entire IP block (and ASN for that matter) has a special place in my firewall's naughty list. Google is also pretty bad with Gmail. I have developed a set of filter rules to catch about 98% of the gift card and sextortion scams coming from Gmail. As big as a company as they are, they should be able to stop these emails from ever leaving their servers in the first place by implementing similar filters and user behavior heuristics to spot mass mailings. Realize that my pay checks are only 33% of what Google pays for entry-level programmers, and my employer doesn't offer free dry cleaning, cafeteria food, ball pits, or nap pods.....
__________________
Currently BMW-less.
|
|
Appreciate
1
CTinline-six6942.50 |
05-11-2021, 07:50 PM | #40 |
Brigadier General
4235
Rep 4,427
Posts |
I'm sorry to tell you all that hackers are by far smarter than any of us in here:
https://www.forbes.com/sites/leemath...from-a-casino/ The most secure computer is this one: |
Appreciate
0
|
05-11-2021, 09:08 PM | #41 |
Brigadier General
5519
Rep 3,325
Posts |
|
05-12-2021, 02:13 PM | #42 | |
Long Time Admirer, First Time Owner
18448
Rep 9,428
Posts |
Quote:
THIS!!! I TRIED to get our water plant to update the firewall and include a 24x7x365 monitoring service. Our only saving grace at this point is that they only have a 1.5MB/s connection. All the updates (that aren't applied to SCADA systems) come from an internet source. Licensed software isn't available on a dongle any more. Heck, our plant is running on a Dell desktop that has a rusted 3.5" floppy drive. I've bought 2 sets of replacement computers, but because they didn't maintain their maintenance agreements (PAY for them) we couldn't upgrade the iFix to Win 10 or 7. We are just about done with a 5-year IT Master plan. Council will fall out of their seats when they see $8.7m |
|
Appreciate
1
vreihen1620845.50 |
Post Reply |
Bookmarks |
|
|