Slashdot Mirror
2004 Global Information Security Survey Results
jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
Sounds a lot like the two secrets of maintaining security.
1) Never tell anybody everything you know.
Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.
"Ask not what your country can do for you." --John F. Kennedy
Seventh Secret: Most flaws occur thru "Gates" - Keep away from.
This is computer-generated and does not require a signature.
We need a new "random generator" type page to produce book titles of the form:
"The n secrets of highly keyword1 keyword2"
Where
n is an integer
keyword1 is empowering adjective:effective, secure, world dominating, goatsecxing
keyword2 is the empowered noun: organisations, individuals, dictatorships, tubgirls.
Maybe then we'll escape this sort of crud. I am studying an MBA, there is a lot of useful stuff in it, but I am already sick of all the goddamn management speak used to obfuscate otherwize valid observations. Its taken years to get "plain english" into academic writing and tech manuals. Lets now start hammering it into managers.
Norman Cook's Ode to Sl
It would be great if it was accidentally a list of the actual top 6 secrets of those companies, and not a list of how they kept things secret.
Secret 1: the password is 1.. 2.. 3.. 4.. 5!
Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"
stuff |
The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.
From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.
The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?
Some kind of integrated approach is necessary, but I think it's a ways off.
If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!
This whole security business is getting a little bit out of hand. You should definitly exercise reasonable care (like having a firewall well configured, use passwords not identical to the account and so on) but I know organizations that really went paranoid and are implementing the most ridiculos polycies (and making the environment very hard to work in because of that) and spent M$ on security consultants when the info they had is worth next to nothing or it is even public. This started to look a little bit like the Y2K craze. Kepp them scared and that way you keep the money flowing in.
http://ebgp.net/ccc/
The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least. Which would suggest that the idea of throwing money at a problem isn't always the best solution.
The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.
The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.
In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.
Since senior management doesn't care, what makes them think that employees lower than them should?
This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.
I'm sure you can imagine my response.
Study Shows PHBs Are Security "Idiots"
My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.
The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.
However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.
Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.
Tim