nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: bloomberg on supermicro: sky is falling

From: "Naslund, Steve" <SNaslund () medline com>
Date: Wed, 10 Oct 2018 14:21:40 +0000
Allowing an internal server with sensitive data out to "any" is a serious mistake and so basic that I would fire that 
contractor immediately (or better yet impose huge monetary penalties.  As long as your security policy is defaulted to 
"deny all" outbound that should not be difficult to accomplish.  Maybe if a couple contractors feel the pain, they will 
straighten up.  The requirements for securing government sensitive data is communicated very clearly in contractual 
documents.  Genuine mistake can get you in very deep trouble within the military and should apply to contractors as 
well.  I can tell you that the "oh well, it's just a mistake" gets used far too often and its why your personal data is 
getting compromised over and over again by all kinds of entities.  For example, with tokenization there is no reason at 
all for any retailer to be storing your credit card data (card number, CVV, exp date) at all (let alone unencrypted) 
but it keeps happening over and over.   There needs to be consequences especially for contractors in the age of cyber 
warfare. 

Steven Naslund
Chicago IL


Important distinction; You fire any contractor who does it *repeatedly* after communicating the requirements for 
securing your data.

Zero-tolerance for genuine mistakes (we all make them) just leads to high contractor turnaround and no conceivable 
security improvement; A a rotating door of mediocre contractors is a much larger >attack surface than a small set of 
contractors you actively work with to improve security.
Previous By Date Next
Previous By Thread Next

Current thread: