Slashdot Mirror
2004 Global Information Security Survey Results
jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
Sounds a lot like the two secrets of maintaining security.
1) Never tell anybody everything you know.
Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.
"Ask not what your country can do for you." --John F. Kennedy
Seventh Secret: Most flaws occur thru "Gates" - Keep away from.
This is computer-generated and does not require a signature.
The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.
From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.
The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?
Some kind of integrated approach is necessary, but I think it's a ways off.
If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!
The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least. Which would suggest that the idea of throwing money at a problem isn't always the best solution.
The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.
The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.
In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.
Since senior management doesn't care, what makes them think that employees lower than them should?
This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.
I'm sure you can imagine my response.
Study Shows PHBs Are Security "Idiots"
My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.
The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.
However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.
Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.
Tim
Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"
That would be an improvement over reality: One facility run by a subcontractor has a database that processes 50K checks/day and generates checks in excess of $1 million/day.
Last time I checked, the database had no password on the administrator account.
Nobody was interested in changing this "because we are behind a firewall" and "there's no reason why anyone would look for us or could find us".
Thus, my sig;
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....