undefined | Better HN

0 pointspaulddraper9y ago0 comments

The difference being -- it's easy to pay somebody else enough to get rid of Dos attacks for you, and you never have to think about it.

Penetration isn't quite as easy.

0 comments

nickpsecurity9y ago

I pointed out here...

https://news.ycombinator.com/item?id=12566098

...that a few, inexpensive practices stop almost all the common methods currently. There's also frameworks and stacks that immunize web applications against common ones for them with little to no effort by developers. These fit parent's claim where you just follow basic, security advice with available tools for each category to stop many attacks.

Now, that's not going to cover everything. A dedicated, professional attacker or team targeting your individual business might break past it all. Most breaches we see, though, are companies not doing the basics.

paulddraperOP9y ago

From your points:

> Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything.

That's a lot more invasive ongoing work than "add piece of hardware", or "add this DNS record".

nickpsecurity9y ago

Add this whitelisting software with your main apps on the list. Install updates when available by clicking update. Done for 75% of it. Your admin using OpenBSD or Linux install instead of something else for backend is invisible to you. The developers writing apps withbone framework or library use a different one. I'm not seeing this invasive nature of easy stuff. Straightforward.

Seems more do given the number of companies with 1-5 IT people that do stuff like this. They just care, Google tech X plus security/hardening guide, and follow the advice. Apply patches, check logs on occasion. A little less apathy goes a long way.

vosper9y ago

Thanks - that what I was getting at.

j / k navigate · click thread line to collapse

0 comments

nickpsecurity9y ago

I pointed out here...

https://news.ycombinator.com/item?id=12566098

paulddraperOP9y ago

From your points:

That's a lot more invasive ongoing work than "add piece of hardware", or "add this DNS record".

nickpsecurity9y ago

vosper9y ago

Thanks - that what I was getting at.

j / k navigate · click thread line to collapse