2004 Global Information Security Survey Results

jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."

Six Secrets of Highly Secure Organizations

Sounds a lot like the two secrets of maintaining security.

1) Never tell anybody everything you know.

That's pretty sad!

[goldspider]

"...but also that information security is still not recieving the attention it requires--especially from management and IT personnel."

Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.

Re:That's pretty sad!

[lukewarmfusion]

Parent has a good point. Every company I've worked in has people who think, "It's not my problem." Management should be concerned about security protecting their business. IT personnel should be concerned about security because it keeps them in a job and makes life easier.

We have so many cliches and maxims about this very concept, but they fall on deaf ears:

Nobody seems to care about doing things the right way until they screw up because they were done poorly. Ounce of prevention and all that..

Re:That's pretty sad!

"...security [...] makes life easier."

You've never worked in security, have you?

Re:That's pretty sad!

Security is *everybody's* responsibility.

Whether it be the admin configuring their IDS & firewall correctly, to the managers writing the policys & guidelines, to the users not writing down passwords and all the way through to the maintenance staff being on the lookout for stray access points, weak locks, or areas of poor CCTV coverage. Even the backup operators have a responsibility to ensure the safety of backups. Security is *not* just passwords and firewalls.

Security: Confidentiality, Integrity and Availability.

Re:That's pretty sad!

[lukewarmfusion]

I get the joke, and I expected that...

In case you (or someone else reading your comment) takes that seriously - consider the hassle of security versus the hassle of explaining to customers why their data is unavailable, their accounts were compromised, or you won't be able to fulfill your promises... I'd rather spend an hour working on making sure something was done right then spend five minutes on the phone while the customer bitches me out. That's why it makes life easier.

there are actually seven

[codefather]

Seventh Secret: Most flaws occur thru "Gates" - Keep away from.

Re:there are actually seven

[stratjakt]

Actually, 8:

Getting advice on slashdot is a sure way to an easily hackable website. While it masquerades as a "geek tech news" forum, it's populated by 12 year olds morons who think they know everything, and who's answer to everything is "Install linux because it's magically secure!".

It goes without saying, of course. What kind of a moron would take computing advice from a bunch of asshats who can't configure Windows properly?

Re:there are actually seven

[idontgno]

What kind of a moron would take computing advice from a bunch of asshats who can't configure Windows properly?

Oh, I don't know, requiring an impossible task as a qualification is not very reasonable, don't you think?

Re:there are actually seven

[IAR80]

You are reading slashdot. Aren't you?

Re:there are actually seven

[cHALiTO]

Getting advice on slashdot is a sure way to an easily hackable website.



And you're implicitly advising to install windows/IIS? nice troll :)

Re:there are actually seven

[stratjakt]

No, not at all.

I'm explicitly advising not to run around thinking you know the first thing about running a secure server because you read slashdot every day.

So many morons running linux powered websites incorrectly out there. While linux may not be a target for worms that just arbitrarily hit anyone, if someone actually targets the server, they can usually get root on it. These are the type of attacks you need to fear in business. Sasser wastes time and bandwidth, a dedicated hacker who's out to get you could ruin the business entirely.

The warez "pub" scene is chock full of hacked proftpd servers. There are thousands of linux and BSD boxes pumping spam through open relays or misconfigured proxies.

HL2's source code was stolen from a linux machine on a linux based network.

Admin's don't even bother to keep up with patches, or even read logs, because they read on slashdot that linux is just "magically secure" out of the box.

At least MS is honest enough to admit there are problems and work towards fixing them.

I'd rather worry about my system being insecure than falsely believe that it isn't. Security requires paranoia.

Re:there are actually seven

.. At least MS is honest enough to admit there are problems and work towards fixing them.

What? SP2 adds a much needed emphasis on security, but it refers to the security center AND security patches and fixes as 'security features' I would call this 'admitting' to a problem they won't acknowledge.

BTW I've configured Win + Linux boxes, and tightening Linux was by far the easier of the two. Easier is perhaps the wrong word. There are more straightforward things you can do to tighten up a Linux box, like totally removing problem programs or 'patching' services on the fly.

With Windows, there is too much deep intergration of IE, Outlook, etc. and this makes the trade off between functionality-security crippling once you start securing services.

The bottom line is you can cut more from a linux box and still be productive, compared to a Windows machine and this IMHO is the biggest reason why I would say Linux can be more secure.

Add to that things like heavily encouraged root-user policy, SELinux, removal of suid privileges, iptables, and sheer control of resources and you have the possibility of a hardened system. Not unbreakable though, just hard.

The only secure computer is one without an internet connection, and without a power source.

Re:there are actually seven

[stratjakt]

BTW I've configured Win + Linux boxes, and tightening Linux was by far the easier of the two.

I agree with you.

But, my point is about the zealots who say "switch to linux because Windows is insecure" and nothing else, because they know nothing else.

Zealots seem to believe that their boxes are secure just because linux is on them, as if that was all there was to it. Then they run all the services as root, log in as root to change CD-ROMs, etc..

It's easier (more comprehensive) to lock down a linux box, but frankly, it's just as easy to misconfigure one.

Once I mixed up eth0 and eth1 on my firewall/router (or rather plugged the cables in backwards), and in the time it took to figure out what I did, I was offering webmin, telnet, LDAP, samba shares, and all kinds of services to the world that I shouldn't have been. Oopsie.

Re:there are actually seven

[Phragmen-Lindelof]

The grantparent says:
"Seventh Secret: Most flaws occur thru "Gates" - Keep away from."
Nowhere do you see anything like "Install linux because it's magically secure!".
This is your typical troll. When CERT warns people to avoid IE and the security record of MS products is considered, warning people away from MS software is appropriate. You like to attack the people (posters) who point out things like this rather than making an honest comment. I hope MS pays you well.
Just for fun, you might like to know that a former long term MS programmer (who still likes MS as a company) is working on his PhD in math somewhere in the world. His comments are very interesting. (Sorry I cannot share them but one thread is that employing lots of very smart people with REALLY BIG egos does not yield good code - e.g. "Who are YOU to criticize my code?)

Re:there are actually seven

[Aliencow]

And here I thought HL2's source code was stolen through an Outlook exploit (patched months ago) ?

People just don't care.

[caluml]

I think by now, that if people don't "get" security, they'll never "get" security. We all know about patching, firewalling, decent passwords, etc, etc, but some people just choose to ignore it.

Sad state of affairs in IT security.

[garcia]

Hmm. Not much faith all around.

Percentages of employees that follow the security rules... "More than half" was about 75%. I'm surprised it's that high. People here go through the 9 interations of their passwords in the same day so they can keep the same one for the year. Some people just use password1 - password9... Ugh.

Re:Sad state of affairs in IT security.

[jokach]

In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.

Since senior management doesn't care, what makes them think that employees lower than them should?

This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.

I'm sure you can imagine my response.

Re:Sad state of affairs in IT security.

"More than half" was about 75%.

That's actually not so bad. I was just listening to a program on the CBC last night in which it was observed that voluntary cooperation with almost anything is usually no more than 50-60%, regardless of merit.

The program went on to compare the effectiveness of this strategy (promoting an activity on its merits, such as watering your lawn on alternate days) against a strategy of incentive (municipalities like Toronto which have recently switched to billed water use).

Guess which works better? See, people can't really believe that their individual choice makes a hell of a lot of difference to the world, so we choose what seems to be optimal for us. That leads to the "free rider problem" or the "tragedy of the commons".

The same applies to IT management and staff. Security requires them to take a comprehensive, responsible view of every design and implementation choice they make. But there is no direct incentive for doing so, and meanwhile there is constant pressure to cut corners. Yes, it hurts them in the long run, but as a security consultant, I've found it a real uphill battle to get them to connect the dots.

Arrgghh

[Mateito]

We need a new "random generator" type page to produce book titles of the form:

"The n secrets of highly keyword1 keyword2"

Where

n is an integer

keyword1 is empowering adjective:effective, secure, world dominating, goatsecxing

keyword2 is the empowered noun: organisations, individuals, dictatorships, tubgirls.

Maybe then we'll escape this sort of crud. I am studying an MBA, there is a lot of useful stuff in it, but I am already sick of all the goddamn management speak used to obfuscate otherwize valid observations. Its taken years to get "plain english" into academic writing and tech manuals. Lets now start hammering it into managers.

Re:Arrgghh

[Hockney+Twang]

This will do it, minus the weird random spaces that /. inserts for me.

<script>
n = parseInt(Math.random()*10);
k1 = parseInt(Math.random()*4);
k2 = parseInt(Math.random()*4);
key1 = new Array();
key1[0]="effective";
key1[1]="secure";
key1[2]="world dominating";
key1[3]="goatsecxing";
key2=new Array();
key2[0]="organisations";
key2[1]="indiv iduals";
key2[2]="dictatorships";
key2[3]="tubgi rls";
document.write('The '+n+' secrets of highly '+key1[k1]+' '+key2[k2]+'.');
</script>

Re:Arrgghh

I'm not even a coder and I can see the bad design in that code. Hardcoding the array size into the random-number-generating lines?

Re:Arrgghh

[Hockney+Twang]

Well, it's not like I was gonna put this on sourceforge. I know it's not scalable, well-formed, whatever. But it is quick, small, and easy. If I could have written it smaller, and in worse style, I would have. In fact, here goes:

<script>
key1 = new Array(); key1[0]="effective"; key1[1]="secure"; key1[2]="world dominating"; key1[3]="goatsecxing"; key2=new Array(); key2[0]="organisations"; key2[1]="individuals"; key2[2]="dictatorships"; key2[3]="tubgirls"; document.write('The '+parseInt(Math.random()*10)+' secrets of highly '+key1[parseInt(Math.random()*key1.length)]+' '+key2[parseInt(Math.random()*key2.length)]+'.');
</script>

How's that?

Top 6 secrets.. ha ha

[192939495969798999]

It would be great if it was accidentally a list of the actual top 6 secrets of those companies, and not a list of how they kept things secret.

Secret 1: the password is 1.. 2.. 3.. 4.. 5!
Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"

Re:Top 6 secrets.. ha ha

[duxwig]

I wonder if I should tell all my customers that when I put 12345 and 'password' as their login that they're in trouble? hrm....Nahhhhhhh.

Re:Top 6 secrets.. ha ha

Not to mention the CEO's luggage.

Re:Top 6 secrets.. ha ha

[Spoing]

1. Secret 1: the password is 1.. 2.. 3.. 4.. 5!
   Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"

That would be an improvement over reality: One facility run by a subcontractor has a database that processes 50K checks/day and generates checks in excess of $1 million/day.

Last time I checked, the database had no password on the administrator account.

Nobody was interested in changing this "because we are behind a firewall" and "there's no reason why anyone would look for us or could find us".

Thus, my sig;

Re:Top 6 secrets.. ha ha

[Satan+Dumpling]

And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....

Re:Top 6 secrets.. ha ha

[Spoing]

1. And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....

Same here, though the same admin who thought no password was a good idea also blaimed every laptop for every virus. Even had a long conversation with him on how likely my laptop (running Linux) could or could not pose a trojan/virus/... threat to his Windows client network. I still think he doesn't believe me that Linux can't spread Windows trojans (granted it could if I intentionally whipped up something).

A well designed network should isolate resources into vlans or other bubbles that offer services only to who need them. The user LAN should be considered hostile.

I haven't seen anyone isolate 'new' systems (typically laptops) on a network by default, though that is something that would be a good idea.

Re:Top 6 secrets.. ha ha

[Dark$ide]

Secret 1: the password is 1.. 2.. 3.. 4.. 5!

But we all know that the password IS: XYZZY! http://www.xyzzy.com/

trying to read about the six secrets...

[inode_buddha]

has made me re-consider http re-directs and online surveys.

Great dept name!

[FunWithHeadlines]

"loose-chips-sink-mips"

That's a great one. Just wanted to give a pat on the back to the person who came up with it.

Clarification

[jotok]

The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.

From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.

The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?

Some kind of integrated approach is necessary, but I think it's a ways off.

Re:Clarification

[Tyndmyr]

Id agree with this assessment, but IMO the main problem is managers failure to understand the nature of security. Most dont even realize the need to update software, let alone "complex" things like firewalls. Ive been told to install an antivirus to keep hackers out. (Yes, I know, antiviruses are good, but this was the sole protection method)

Until our managers become more technically adept, how can they understand if the security ppl are doing an adequate job?

Re:Clarification

[texroot]

What I've seen is that management gets what it wants. As a relatively new sysadmin I've been apalled at some of the outdated security models where I work. For example, passwords on major unix boxes not even shadowed. But as long as management wants to push server consolidation, outsourcing and project after project, even those members of the overworked IT staff who might be concerned have no time to try to push or implement security projects.

I noted that the article mentions negative drivers like the fear of litigation being behind most spending on security. Now we have SOX (Sarbonnes Oxley) and our management is worried. All of a sudden all kinds of security monitoring is high priority.

How stupid that it takes lawsuits and government regulation to get management to decide that it's important to safeguard information assets.

Re:Clarification

[jotok]

No, it makes perfect sense. Management rarely sees the connection between security and job completiong (and thus, satisfying the demands of the shareholders, which is technically the reason why the corporation exists). You have to put it in terms they understand. This is why I'm in favor of separate security departments, for one, and also, why an integrated approach is the only one that will work (e.g. start everything with security in mind).

Re:whoamg

From the article:

Secret 1: Spend more

Wow! This study is really worth its 6 millions.

Re:Sure it is

[stratjakt]

Hey! I went googling for "a piece of pie" by the frantics and got a link to wil wheatons blog, of all places!

This pie... is proof!

Proof that you carry shit in your pocket!

Security rule #1

[ceeam]

If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!

Re:Security rule #1

I believe you are wrong. I do not know how to code an exploit for a certain program on a certain OS. I could compile a pre-built exploit however.

I can also protect my network against people that have malicious intent. Just because I do not understand the fine art of being a code junkie does not mean I don't have the ability to stop unwanted people from my network. Most likely any network is vulnerable, the attacker just needs to be skilled enough to be able to defeat the security measures put in place.

People need to be taught. That's all there is to it. They do not understand why things need to be a certain way. It's our job to inform them of these reasons and implement them effectively.

Re:Security rule #1

[Tony-A]

"If you don't know how to crack you don't know how to protect."

I believe you are wrong. ... Just because I do not understand the fine art of being a code junkie does not mean I don't have the ability to stop unwanted people from my network.

It's hard to lock a door if you have no idea what a door is.

the attacker just needs to be skilled enough to be able to defeat the security measures put in place.
Bingo!
Also the attacker gets to move around and the defense has to just sit there.

It's probably more a case of knowing how much skill and effort is required to crack than having said skill and knowledge. However, no idea of what is required will cause the defenders to expend a lot of time and effort erecting useless defenses. It's everything you don't know that matters.

exagerated

[IAR80]

This whole security business is getting a little bit out of hand. You should definitly exercise reasonable care (like having a firewall well configured, use passwords not identical to the account and so on) but I know organizations that really went paranoid and are implementing the most ridiculos polycies (and making the environment very hard to work in because of that) and spent M$ on security consultants when the info they had is worth next to nothing or it is even public. This started to look a little bit like the Y2K craze. Kepp them scared and that way you keep the money flowing in.

Re:exagerated

[Trailer+Trash]

...and spent M$ on security consultants...

You must be new around here. "M$" is a macro that expands to "Microsoft" when we read it...

Re:exagerated

[Tony-A]

...and spent M$ on security consultants...

And the difference is ... ?

Fundamentally it's the same thing. Spending lots of money on sham.

Re:exagerated

[hrtserpent6]

As networks become increasingly complex and increasingly interconnected, the difficulty in adequately securing them properly increases exponentially.

If you're housing millions+ of dollars in data/IP/personal information or are protecting government assets/secrets, well you are probably REQUIRED to comply with DITSCAP/HIPAA/Sarbanes-Oxley or some other mandated standard...and by god you need a security infrastructure. And more and more organizations are beginning to realize how difficult it is to do it right.

Standard security procedures:
- Lock down the perimeter
- Lock down the servers
- Lock down the desktops
- Limit data portability (thumbdrives/USB drives/CD-R(W))
- Limit external access by employees
- Partition your network into secure zones
- ACLs on everything that sends or recieves a packet
- Encryption for sensitive data
- Monitor everything and *gasp* actually review the logs
- Make passwords be strong and expire often
- Quarantine your remote users/connections
- Checks and balances in the 'meat-space' authorization process
- 3+ factor authentication (SecurID, biometrics, certificates, PKI)
- Redundancy, redundancy, redundancy
- Incident response capability
- Off-site data storage and recovery
- Conduct regular security audits and reviews

And this is just for the small business networks I deal with. Sounds like a lot, but it STILL will not meet some security standards.

Now lets take a fictional mid-size company: 500 employees over 3 sites, 30 file/database/infrastructure servers, 4 public servers, dial-up PPP RAS. The company requires persistent/semi-persistent connections to 3 other organizations. The desktops are a mishmash of XP/2000/NT4, the servers range from NT4-2003, a couple Netware boxes, a couple of Solaris machines running unpatched Oracle 9i and you are using a half-dozen proprietary closed-source apps that connect to the Internet in some fashion. They recently landed a contract as a sub to Lockheed-Martin and are going to be handling sensitive documents. You've just been hired as CIO and your first priority as dictated by the CEO is to 'secure the network'. Your IT staff consists of a DBA, 2 MCSDs, a Unix guru, 4 MCSEs, 7 A+ techs, a dozen secretaries with rudimentary troubleshooting skills and the PHB who lords over them. So now how much money do you think you need?


when the info they had is worth next to nothing or it is even public

Value is in the eye of the beholder. There's very little data that you can make money off of that isn't valuable to someone. You think that PeopleSoft database might not be worth a few bucks to the right person?

This started to look a little bit like the Y2K craze

Increased awareness creating increased vigilance does not mean the issue is self-created.

Check here in the Incidents Reported section. That 1394% increase between 1999 and 2003 kinda reaches out and grabs ya.

The Six Secrets

[nharmon]

The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least. Which would suggest that the idea of throwing money at a problem isn't always the best solution.

The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.

The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.

Re:The Six Secrets

[Tony-A]

Which would suggest that the idea of throwing money at a problem isn't always the best solution.

Throwing money at the problem tends to enlarge the scope of the problem, i.e. more and bigger problems. The ones who spend least probably secure the few things that need securing and do those few rather well and do not impose unwarranted restrictions on everybody else. Easy way to check. If they lock their doors whenever they leave, they need security. Open doors when they aren't there means they do not need a lot of security, and certainly not on their computers.

There are two aspects to security. First and formost is losing access to what you have. That, whether by hardware or software fault is what puts companies out of business. Second is depriving unauthorized people access to sensitive information. You put that in the hands of people who are naturally protective of it which really must mean that they control access, not IT, nt security. For a cheap shot, just give 'em two computers.

revealing study of what CIOs are REALLY like

[nusratt]

Study Shows PHBs Are Security "Idiots"

The uhmteen or so habits of highly random asshats?

[vettemph]

The uhmteen or so habits of highly random asshats?

Does anyone know where asshats cams from? It's an incredibly funny descriptor but i don't know of its origin. Is it just a buttheadism?

Seventh Secret

[revery]

If I'm reading these numbers right, there is (at least) one thing that is interesting.

The "Best Practices" (hereafter BPG) group claimed 14% of their IT budget was spent on Infosecurity, while the "Average Group" (hereafter AG) spent 9%, while the difference in number of people on full time security in the BPG was approximately 430 and the AG was only around 160.

Or in numbers, a BPG company spends $140,000 of its $1,000,000 IT budget (these are fake numbers) and hires 430 people while a AG company spends $90,000 from it's IT budget of the same amount and picks up 160 people.

90,000 -> 140,000 increase of 56%
160 -> 430 increase of 169%
430 people with an average salary of 325.58
160 people with an average salary of 562.50
Thats a salary difference for "average" employees of 73%

My point is hiring more (potentially) less qualified people may do more than spending more. This is of course if I've read the graphs right, am thinking correctly, and have done this hasty math correctly.

--

Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.

Re:Seventh Secret

[Demonspawn]

The math looks good at first, but there is one simple thing I think makes the difference.

I'm willing to bet that any member of the BGP is also a company that takes IT much more seriously, and therefore would have a much larger IT budget (in relation to the total company budget). Also, I would venture a guess that the BGP are also much larger companies, otherwise the difference in department sizes would be smaller than the current 2.5:1

--Demonspawn

..laissez-faire, maybe even lackadaisical

[burgburgburg]

The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.

As a self-appointed representative of security professionals, I have to balk at this description. Many security professionals are under incredible pressure. If, after a harrowing incident, they take some time to frolic down by the old Mill pond, perhaps take a roll or two down Mr. Jenkin's hill, or even skip through town while eating candy corn or gummy bears, well who can blame them? The incident was harrowing, after all.

They PROMISE to get around, eventually, to addressing the infrastructure, regulation and authority issues. But it's so warm and sunny outside. Why is it always "Work, work, work" for you, anyway? Have you never been happy?

Re:..laissez-faire, maybe even lackadaisical

[hrtserpent6]

working with the authorities after incidents

Security Guy: "Maybe we should call the authorities."
CIO: "Doesn't that mean they will probably send forensics guys down here, quarantine some servers, start raking through our data for evidence and generally be up our asses for a week or so?"
Security Guy: "Possibly..."
CIO: "Sounds like a lot of paperwork...How about we just patch the boxes, write up the report and call it a day? When is the last time you slept anyway?"

MS Windows Updates...

[MonkeyDev]

At our company we finally implemented a process where MS updates could be applied more quickly. Because MS is famous for messing up everyone's machine with their lovely windows updates, we had an almost 2 month testing cycle before updates were applied. Now we apply security patches immediately (i.e., within 1-2 days - workstations first, then servers). We'll deal with any MS screw-ups the next day.

"2. Separate information security from IT" - idiots! It's IT that understands this stuff. The answer is not to separate the security group from IT, the answer is to give IT the authority to make the tough lock-down decisions required to make the systems secure and force the business area to adhere to those guidelines. Users want to download everything, keep the same password for x years, or paste the password on their monitor - just in case they forget. The key is give IT the authority to lock-down users and prevent them from doing stupid things. Also, continually educate users on why security is so important. If your users take security seriously, the whole system flows better.

One final thought, why can't all passwords expire at the same time - and all contain the same restrictions? If a number is required in a password, and mixed case - then require that for all passwords so I can use the same one across the systems (mainframe, windows login, peoplesoft login). I'll still change them every 6-8 weeks, but make them all expire at the same time - much appreciated! :)

Re:MS Windows Updates...

[jotok]

"2. Separate information security from IT" - idiots! It's IT that understands this stuff.

Out of the past thousand or so incidents I have handled or observed, maybe 900 of them involved some bungle by IT regarding: failure to patch systems (often while reporting that they had), failure to remove unnecessary services, failure to properly implement network and host security features (e.g. firewalls and IDSs installed imroperly, logging not turned on, etc.) failure to conduct account audits, failure to implement standing security policy.

The takeaway from this is that IT may be brilliant when it comes to setting up your network, and absolutely clueless when it comes to securing it. IT may understand the issues. However, their willingness to actually take care of the issues is in question (the common excuse is some variant on "I didn't think anyone would come after us!" (e.g. "Why would anyone want to steal our data?")).

Second, I do not believe that the issue is all about PHBs demanding that IT leave the systems open for their own convenience. I think this is little more than a myth invented by IT. Yes, management is as a rule dimwitted, but even PHBs understand terms like "accountability to shareholders" and "losing your job," or, my personal favorite, "If you do not take steps to secure your infrastructre you could be held personally responsible for hundreds of thousands of dollars."

In short, as the article noted, litigation is a great motivating factor for PHBs.

Anyway, as I noted before: some IT personnel are on the ball with this, but most of them are in a wholly different world.

No surprises

[TimTheFoolMan]

My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.

The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.

However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.

Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.

Tim

Join the Cyber-Corp! I did!

[LanMan04]

If you get involved in the right educational program you get all that and more, and Uncle Sam pays the bill.

In May I graduated from "Cyber-Corp", a Computer Science - Information Assurance master's degree (or undergrad if that's your thing) program that is funded by NSF. I took many full, real college credit classes (3 or 4 semester hours) on Penetration Testing, Systems Certification and Accreditation, Digital Forensics Secure Network Design and Implementation, Secure E-Commerce, the list goes on. And this isn't some wussy program, we also had compiler design (try building a recursive-descent Pascal compiler without lex or yacc, and you don't even get an LL1 grammar to start with) and a heavy concentration on formal proofs and methods (non-interfenence, DITSCAP). I also got all 5 DoD Information Assurance certificates (ISSO, Designated Approving Authority, etc) blessed by the NSA's INFOSEC training program.

Anyway, I got my MS for free so long as I work for the gov after graduation for a year and a half (which I do now), and about 80% of grads go to DoD and various intelligence agencies (NSA, CIA, FBI Forensics Lab, NIST, Commerce, etc). It's a fantastic program taught by some of brightest security minds in the country (at least at University of Tulsa, where I went, best school out of the 20 or so that do the program). Great stuff, check out the University of Tulsa Cyber-Corp page , I'm not sure what the national program's page is. Oh yeah, and they pay you a stipend to live on while you go to school, so no work. =)

Re:The uhmteen or so habits of highly random assha

[TheTimoo]

AFAIK Jeff K. is the one you're looking for.

Re:Join the Cyber-Corp! I did!

[jotok]

Let me add a quick addendum to LanMan's post.

In support of the government's policies on Critical Infrastructure Protection, there is this outreach program between NSA and various educational institutions which is producing just really excellent security professionals. In light of corporate resistance to DHS's attempts to bring the private sector onboard, I think this and similar programs are the best shot we have at securing the civilian sector.

More information can be found here.

Re:Join the Cyber-Corp! I did!

[NeoSkandranon]

Far as I know the university of North carolina system also is a member of this program (at the very least the charlotte campus)

Looks to be a sweet deal. TOo bad i'm engineering and not compsci =\

Re: Physical security

[Alwin+Henseler]

The article was very good to suggest separating information security from IT, and integrating with physical security.

After all, IT is just a tool, a means to an end. If you have a super-secure server, but one could throw a brick through a window and walk away with the goodies, that server isn't really secure. If you have a fire in a datacenter, and your entire archive and customer files are lost, then your backup procedures were flawed, even if state-of-the-art tools were used.

Easy to keep files secure

[Prince+Vegeta+SSJ4]

I encrypt all of my garbage files, set permissions, restrict shares, etc, and put highly sensitive stuff in a folder that is public with the name:

• "Hackers Please Look in here, and download everything - I contain no tracking software and I am NOT a Honeypot"

So far, so good. In fact I'm looking at my financial statements right now and they say .$%^ WTF what the hell is a |33t 81ll|ion41r3, where the hell is my balance sheet.

Re:Join the Cyber-Corp! I did!

[negro]

The University of North Texas is also issuing security certifications from the NSA:
http://www.cics.unt.edu/

Sensible colors

http://shit.slashdot.org/article.pl?sid=04/09/24/1 44240