Slashdot Mirror
2004 Global Information Security Survey Results
jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.
"Ask not what your country can do for you." --John F. Kennedy
The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.
From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.
The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?
Some kind of integrated approach is necessary, but I think it's a ways off.
If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!
This whole security business is getting a little bit out of hand. You should definitly exercise reasonable care (like having a firewall well configured, use passwords not identical to the account and so on) but I know organizations that really went paranoid and are implementing the most ridiculos polycies (and making the environment very hard to work in because of that) and spent M$ on security consultants when the info they had is worth next to nothing or it is even public. This started to look a little bit like the Y2K craze. Kepp them scared and that way you keep the money flowing in.
http://ebgp.net/ccc/
The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least. Which would suggest that the idea of throwing money at a problem isn't always the best solution.
The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.
The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.
In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.
Since senior management doesn't care, what makes them think that employees lower than them should?
This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.
I'm sure you can imagine my response.
Study Shows PHBs Are Security "Idiots"
No, not at all.
I'm explicitly advising not to run around thinking you know the first thing about running a secure server because you read slashdot every day.
So many morons running linux powered websites incorrectly out there. While linux may not be a target for worms that just arbitrarily hit anyone, if someone actually targets the server, they can usually get root on it. These are the type of attacks you need to fear in business. Sasser wastes time and bandwidth, a dedicated hacker who's out to get you could ruin the business entirely.
The warez "pub" scene is chock full of hacked proftpd servers. There are thousands of linux and BSD boxes pumping spam through open relays or misconfigured proxies.
HL2's source code was stolen from a linux machine on a linux based network.
Admin's don't even bother to keep up with patches, or even read logs, because they read on slashdot that linux is just "magically secure" out of the box.
At least MS is honest enough to admit there are problems and work towards fixing them.
I'd rather worry about my system being insecure than falsely believe that it isn't. Security requires paranoia.
I don't need no instructions to know how to rock!!!!
And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....