Slashdot Mirror
The Failure of Information Security
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
We as security professional are drastically failing ourselves, our community and the people we are meant to protect.
This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
Global warming is a cube.
I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.
Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
The management level corporate posture towards IT security goes like this:
- We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.
In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.
And now IT Security professionals are to blame?
What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????
I usually don't post but this article is really too much.
In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!
News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?
Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.
I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.
Seriously, I'm asking. :-)
Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.
They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.
Other than that, there isn't much security software installed. I don't even have an anti-virus.
I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.
The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.
(As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).
So what's the problem? Is it bad habits, or is it really that bad out there?
Phemur