The Dyn DNS DDoS attack should be a wake-up call for all organizations and service providers reliant on on the internet. A simple risk assessment of your services would have identified the dependency to Dyn, or their clients, for production systems. Simple mitigating controls, such as properly configured multiple DNS providers in the case of Dyn clients, would have minimized, or even eliminated the impact.
As far as National Security Agency hack goes, how is it that one of the largest security agencies in the world, with a budget of tens of billions per year, can’t figure out information security?
One would think with everything they know, they could at least secure their classified data from theft.
Do they follow the principle of least privilege? If so, then why do all these contractors have access to this sensitive data? How are they getting this data out, and why is it taking years to find out?
The government must ask private-sector IT security firms and infowar experts for help. This is a national security issue that will take all of us to fix – both private and public sectors.
— Mirek Pijanowski, CEO of StandardFusion GRC