Slashdot Mirror

← Back to Stories (view on slashdot.org)

2004 Global Information Security Survey Results

Posted by michael on from the loose-chips-sink-mips dept.

jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."

10 of 77 comments (clear)

  1. Arrgghh by Mateito · · Score: 3, Interesting

    We need a new "random generator" type page to produce book titles of the form:

    "The n secrets of highly keyword1 keyword2"

    Where

    n is an integer

    keyword1 is empowering adjective:effective, secure, world dominating, goatsecxing

    keyword2 is the empowered noun: organisations, individuals, dictatorships, tubgirls.

    Maybe then we'll escape this sort of crud. I am studying an MBA, there is a lot of useful stuff in it, but I am already sick of all the goddamn management speak used to obfuscate otherwize valid observations. Its taken years to get "plain english" into academic writing and tech manuals. Lets now start hammering it into managers.

    --
    Norman Cook's Ode to Sl
  2. Re:That's pretty sad! by lukewarmfusion · · Score: 4, Interesting

    Parent has a good point. Every company I've worked in has people who think, "It's not my problem." Management should be concerned about security protecting their business. IT personnel should be concerned about security because it keeps them in a job and makes life easier.

    We have so many cliches and maxims about this very concept, but they fall on deaf ears:

    Nobody seems to care about doing things the right way until they screw up because they were done poorly. Ounce of prevention and all that..

  3. Re:Clarification by Tyndmyr · · Score: 2, Interesting
    Id agree with this assessment, but IMO the main problem is managers failure to understand the nature of security. Most dont even realize the need to update software, let alone "complex" things like firewalls. Ive been told to install an antivirus to keep hackers out. (Yes, I know, antiviruses are good, but this was the sole protection method)

    Until our managers become more technically adept, how can they understand if the security ppl are doing an adequate job?

    --
    Support more choices in goverment-Vote 3rd party.
  4. MS Windows Updates... by MonkeyDev · · Score: 2, Interesting
    At our company we finally implemented a process where MS updates could be applied more quickly. Because MS is famous for messing up everyone's machine with their lovely windows updates, we had an almost 2 month testing cycle before updates were applied. Now we apply security patches immediately (i.e., within 1-2 days - workstations first, then servers). We'll deal with any MS screw-ups the next day.

    "2. Separate information security from IT" - idiots! It's IT that understands this stuff. The answer is not to separate the security group from IT, the answer is to give IT the authority to make the tough lock-down decisions required to make the systems secure and force the business area to adhere to those guidelines. Users want to download everything, keep the same password for x years, or paste the password on their monitor - just in case they forget. The key is give IT the authority to lock-down users and prevent them from doing stupid things. Also, continually educate users on why security is so important. If your users take security seriously, the whole system flows better.

    One final thought, why can't all passwords expire at the same time - and all contain the same restrictions? If a number is required in a password, and mixed case - then require that for all passwords so I can use the same one across the systems (mainframe, windows login, peoplesoft login). I'll still change them every 6-8 weeks, but make them all expire at the same time - much appreciated! :)

    1. Re:MS Windows Updates... by jotok · · Score: 2, Interesting
      "2. Separate information security from IT" - idiots! It's IT that understands this stuff.
      Out of the past thousand or so incidents I have handled or observed, maybe 900 of them involved some bungle by IT regarding: failure to patch systems (often while reporting that they had), failure to remove unnecessary services, failure to properly implement network and host security features (e.g. firewalls and IDSs installed imroperly, logging not turned on, etc.) failure to conduct account audits, failure to implement standing security policy.

      The takeaway from this is that IT may be brilliant when it comes to setting up your network, and absolutely clueless when it comes to securing it. IT may understand the issues. However, their willingness to actually take care of the issues is in question (the common excuse is some variant on "I didn't think anyone would come after us!" (e.g. "Why would anyone want to steal our data?")).

      Second, I do not believe that the issue is all about PHBs demanding that IT leave the systems open for their own convenience. I think this is little more than a myth invented by IT. Yes, management is as a rule dimwitted, but even PHBs understand terms like "accountability to shareholders" and "losing your job," or, my personal favorite, "If you do not take steps to secure your infrastructre you could be held personally responsible for hundreds of thousands of dollars."

      In short, as the article noted, litigation is a great motivating factor for PHBs.

      Anyway, as I noted before: some IT personnel are on the ball with this, but most of them are in a wholly different world.
  5. No surprises by TimTheFoolMan · · Score: 4, Interesting

    My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.

    The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.

    However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.

    Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.

    Tim

  6. Re:Top 6 secrets.. ha ha by Spoing · · Score: 5, Interesting
    1. Secret 1: the password is 1.. 2.. 3.. 4.. 5!
      Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"

    That would be an improvement over reality: One facility run by a subcontractor has a database that processes 50K checks/day and generates checks in excess of $1 million/day.

    Last time I checked, the database had no password on the administrator account.

    Nobody was interested in changing this "because we are behind a firewall" and "there's no reason why anyone would look for us or could find us".

    Thus, my sig;

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  7. Join the Cyber-Corp! I did! by LanMan04 · · Score: 2, Interesting

    If you get involved in the right educational program you get all that and more, and Uncle Sam pays the bill.

    In May I graduated from "Cyber-Corp", a Computer Science - Information Assurance master's degree (or undergrad if that's your thing) program that is funded by NSF. I took many full, real college credit classes (3 or 4 semester hours) on Penetration Testing, Systems Certification and Accreditation, Digital Forensics Secure Network Design and Implementation, Secure E-Commerce, the list goes on. And this isn't some wussy program, we also had compiler design (try building a recursive-descent Pascal compiler without lex or yacc, and you don't even get an LL1 grammar to start with) and a heavy concentration on formal proofs and methods (non-interfenence, DITSCAP). I also got all 5 DoD Information Assurance certificates (ISSO, Designated Approving Authority, etc) blessed by the NSA's INFOSEC training program.

    Anyway, I got my MS for free so long as I work for the gov after graduation for a year and a half (which I do now), and about 80% of grads go to DoD and various intelligence agencies (NSA, CIA, FBI Forensics Lab, NIST, Commerce, etc). It's a fantastic program taught by some of brightest security minds in the country (at least at University of Tulsa, where I went, best school out of the 20 or so that do the program). Great stuff, check out the University of Tulsa Cyber-Corp page , I'm not sure what the national program's page is. Oh yeah, and they pay you a stipend to live on while you go to school, so no work. =)

    --
    With the first link, the chain is forged.
  8. Re:Top 6 secrets.. ha ha by Spoing · · Score: 2, Interesting
    1. And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....

    Same here, though the same admin who thought no password was a good idea also blaimed every laptop for every virus. Even had a long conversation with him on how likely my laptop (running Linux) could or could not pose a trojan/virus/... threat to his Windows client network. I still think he doesn't believe me that Linux can't spread Windows trojans (granted it could if I intentionally whipped up something).

    A well designed network should isolate resources into vlans or other bubbles that offer services only to who need them. The user LAN should be considered hostile.

    I haven't seen anyone isolate 'new' systems (typically laptops) on a network by default, though that is something that would be a good idea.

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  9. Re:Security rule #1 by Tony-A · · Score: 2, Interesting

    "If you don't know how to crack you don't know how to protect."

    I believe you are wrong. ... Just because I do not understand the fine art of being a code junkie does not mean I don't have the ability to stop unwanted people from my network.

    It's hard to lock a door if you have no idea what a door is.

    the attacker just needs to be skilled enough to be able to defeat the security measures put in place.
    Bingo!
    Also the attacker gets to move around and the defense has to just sit there.

    It's probably more a case of knowing how much skill and effort is required to crack than having said skill and knowledge. However, no idea of what is required will cause the defenders to expend a lot of time and effort erecting useless defenses. It's everything you don't know that matters.