Slashdot Mirror
2004 Global Information Security Survey Results
jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
Sounds a lot like the two secrets of maintaining security.
1) Never tell anybody everything you know.
Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.
"Ask not what your country can do for you." --John F. Kennedy
Seventh Secret: Most flaws occur thru "Gates" - Keep away from.
This is computer-generated and does not require a signature.
We need a new "random generator" type page to produce book titles of the form:
"The n secrets of highly keyword1 keyword2"
Where
n is an integer
keyword1 is empowering adjective:effective, secure, world dominating, goatsecxing
keyword2 is the empowered noun: organisations, individuals, dictatorships, tubgirls.
Maybe then we'll escape this sort of crud. I am studying an MBA, there is a lot of useful stuff in it, but I am already sick of all the goddamn management speak used to obfuscate otherwize valid observations. Its taken years to get "plain english" into academic writing and tech manuals. Lets now start hammering it into managers.
Norman Cook's Ode to Sl
It would be great if it was accidentally a list of the actual top 6 secrets of those companies, and not a list of how they kept things secret.
Secret 1: the password is 1.. 2.. 3.. 4.. 5!
Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"
stuff |
The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.
From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.
The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?
Some kind of integrated approach is necessary, but I think it's a ways off.
Wow! This study is really worth its 6 millions.
If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!
This whole security business is getting a little bit out of hand. You should definitly exercise reasonable care (like having a firewall well configured, use passwords not identical to the account and so on) but I know organizations that really went paranoid and are implementing the most ridiculos polycies (and making the environment very hard to work in because of that) and spent M$ on security consultants when the info they had is worth next to nothing or it is even public. This started to look a little bit like the Y2K craze. Kepp them scared and that way you keep the money flowing in.
http://ebgp.net/ccc/
The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least. Which would suggest that the idea of throwing money at a problem isn't always the best solution.
The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.
The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.
In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.
Since senior management doesn't care, what makes them think that employees lower than them should?
This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.
I'm sure you can imagine my response.
Study Shows PHBs Are Security "Idiots"
"2. Separate information security from IT" - idiots! It's IT that understands this stuff. The answer is not to separate the security group from IT, the answer is to give IT the authority to make the tough lock-down decisions required to make the systems secure and force the business area to adhere to those guidelines. Users want to download everything, keep the same password for x years, or paste the password on their monitor - just in case they forget. The key is give IT the authority to lock-down users and prevent them from doing stupid things. Also, continually educate users on why security is so important. If your users take security seriously, the whole system flows better.
One final thought, why can't all passwords expire at the same time - and all contain the same restrictions? If a number is required in a password, and mixed case - then require that for all passwords so I can use the same one across the systems (mainframe, windows login, peoplesoft login). I'll still change them every 6-8 weeks, but make them all expire at the same time - much appreciated! :)
My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.
The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.
However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.
Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.
Tim
If you get involved in the right educational program you get all that and more, and Uncle Sam pays the bill.
In May I graduated from "Cyber-Corp", a Computer Science - Information Assurance master's degree (or undergrad if that's your thing) program that is funded by NSF. I took many full, real college credit classes (3 or 4 semester hours) on Penetration Testing, Systems Certification and Accreditation, Digital Forensics Secure Network Design and Implementation, Secure E-Commerce, the list goes on. And this isn't some wussy program, we also had compiler design (try building a recursive-descent Pascal compiler without lex or yacc, and you don't even get an LL1 grammar to start with) and a heavy concentration on formal proofs and methods (non-interfenence, DITSCAP). I also got all 5 DoD Information Assurance certificates (ISSO, Designated Approving Authority, etc) blessed by the NSA's INFOSEC training program.
Anyway, I got my MS for free so long as I work for the gov after graduation for a year and a half (which I do now), and about 80% of grads go to DoD and various intelligence agencies (NSA, CIA, FBI Forensics Lab, NIST, Commerce, etc). It's a fantastic program taught by some of brightest security minds in the country (at least at University of Tulsa, where I went, best school out of the 20 or so that do the program). Great stuff, check out the University of Tulsa Cyber-Corp page , I'm not sure what the national program's page is. Oh yeah, and they pay you a stipend to live on while you go to school, so no work. =)
With the first link, the chain is forged.