Once again, I call on Michelle Obama or the next first man/lady to make cyber security your cause.
We need to teach our children to understand that only a fool would put critical systems on the public internet. Only a fool would forget to implement account lockout rules or forget login rate limiting (edit) --where approprate--. Only a fool would create software with built in default usernames and passwords. Hello world, the "admin" username does not have to be admin or administrator. Computer security today is a joke. Almost a total illusion.
We need to pay less attention to Kim Kardashashen and more attention to HD Moore.
Due to the nature of critical infrastructure it would not be advisable to force lockout rules and rate limiting on devices.
The main issue comes from the long life cycle of equipment and companies not wanting to change to new securer methods due to fear of costs implementing it.
To be honest when it comes to critical infrastructure, you cannot be conservative enough.
Which is to say: These networks should be closed-loop, and air gapped from the internet. The best security is simply not letting an attacker connect to the equipment at all.
Same way cars are meant to work. One network for the vehicle control systems, another network for the fun stuff (in car entertainment, OnStar, etc). With well defined interconnections between them (that assumes the "fun stuff" side can misbehave).
If there is any interconnection between the critical infrastructure network and the internet, then it needs to be very well regulated, down to the packet lengths.
While I agree with you overall I don't see the problem being solved by "teaching our children". The problem isn't the public, which either can't be expected to know or are actually already more critical of technology, it's programmers being blinded by money, status, false pride and overwhelming odds against doing the right thing. The security industry isn't exactly helping either with their toxic environment making building security from the the ground up a loosing proposition.
How many times do we see new web frameworks on HN without even a mention of security?
I hear you, I just think it is going to take a generation to fix. If you follow the infosec folks on twitter you might see what I see, a lot of juvenile behavior. Some of the key debates lately have been about Hugging and this lovely drama.
I'm not sure we can afford to wait a generation if we want to have a say how things change. With increased regulation, economic down-turn and/or competition from China/India change is coming one way or the other.
We need to teach our children to understand that only a fool would put critical systems on the public internet. Only a fool would forget to implement account lockout rules or forget login rate limiting (edit) --where approprate--. Only a fool would create software with built in default usernames and passwords. Hello world, the "admin" username does not have to be admin or administrator. Computer security today is a joke. Almost a total illusion.
We need to pay less attention to Kim Kardashashen and more attention to HD Moore.
http://jklossner.com/computerworld/images/security26.gif