How To Suck At Information Security

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

First things first

[NotPeteMcCabe]

"Now if I could only find a way to get management to read it."

I'm sure if you ask them to, they will.

Re:First things first

[DeadDecoy]

Meh, depends on how busy they are. Some people you really have to hound until they get it done. Sometimes to an extent that reading the damn security protocol is less of a hassle then picking up your messages. : )

Re:First things first

[syousef]

I'm sure if you ask them to, they will.

I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

Re:First things first

[Opportunist]

Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:

IT-Security guy: Here, please read these guidelines.
Manager: Why? What's that?
ITS: Security guidelines and rules to increase our security performance.
M: Hand it to my secretary.
ITS: It's critical that everyone reads them, knows about them and adheres...
M: I said, hand it to my secretary!
ITS: But you, too, have to...
M: I have to go to a meeting now.

Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...

Re:First things first

The image that conjured in my head is pure gold just on its own already.

Speaking of statements that need to be skit-ified.

Re:First things first

[owlnation]

"Now if I could only find a way to get management to read it."

Pictures and bullet points. That's your way in. We all know management can't read.

Re:First things first

Gone postal? What do you mean? This seems like a perfectly reasonable way to get people to read security -- or pretty much any -- guidelines.

Re:First things first

You mean like that nutcase felon in San Francisco last year?

Nerd rage isn't a laughing matter.

Re:First things first

[RobertLTux]

and if that doesn't work

naked pictures and pointed bullets

Re:First things first

>"Now if I could only find a way to get management to read it."

Here's how: You get a Director to tell them that until they sign off on their acceptance of the policy, they have no access to any network, no authority to use any computer for any purpose, won't have badge access to the building, not even access to the payroll system, etc.

They will sign.

If you don't have such a Director on board with your policy, you don't have a policy.

Re:First things first

[fishbowl]

So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me. Authority does not come from below, and it's that simple. Get authority (promotion, getting an authoritative position in the first place, etc.) or start a business. But don't expect, *ever*, to have anyone follow your orders if you aren't in a position to decrease or eliminate their paycheck. And don't act like this is hard to understand, because it isn't.

Re:First things first

[Stormwatch]

Indeed! A boss, act rationally according to the information presented, rather than act according to ranks in the ape troop hierarchy? INCONCEIVABLE!

Re:First things first

The authority is often delegated to the IT worker drone by someone who does have the authority, such as a CIO.

Re:First things first

[colinrichardday]

What authority does the CIO have over someone not in IT?

Re:First things first

What authority does the CIO have over someone not in IT?

The ear of the CEO. It's healthy for ones career to be on friendly/good terms with a C class. At the very least don't go out of your way to piss one off, they might be friends with the C class in charge of you since grade school.

Re:First things first

[V!NCENT]

Indeed! A team of IT admins should just lay down a system that doesn't allow it to be used otherwise. Just encrypt all information on any device and computer and give the boss the password on a piece of paper. Make sure all newly bought IT devices passes through the IT department before it gets into anyones hands in order to 'prepare all technology for safe and secure use'. Take care of the rest of all the problems the same way. Now get some superior/boss to allow you to set up an IT helpdesk 'in order to increase effiency and security and speed up the problem solving process'. After that's done you'll inform the IT helpdesk personell of everything they need to know on how to 'help users in fixing computer issues' *cough*how to change their password so they can login again after four months*cough*.

If you feel so smart and intelligent then find a smart and intelligent way of dealing with 'dumb' issues.

Re:First things first

Short double barreled shotgun and four minions with sledgehammers. Have your minions the existing IT boron into paste. While the duct taped and zip tied corprats watch. Then cut off a finger for each talking point in your lecture. Then start with the eyes.

The will not ever forget.

Re:First things first

[dannycim]

...Just encrypt all information on any device and computer and give the boss the password on a piece of paper...

And he'll promptly stuff that piece of paper in his laptop bag only to be stolen at the next airport.

People are insecure.

Re:First things first

[ta+bu+shi+da+yu]

Before or after he reads the comments that weren't correctly de-escaped?

For a security authority, you'd think SANS would know they escape their quotes and handle this when it outputs the comment to readers.

Re:First things first

[Gazzonyx]

Does this story take place in San Francisco, perchance?
if you missed the obscure reference to Terry Childs

Re:First things first

[Epistax]

That doesn't make sense. Unless the tech guy is above the pay guy, the pay guy should not listen to the tech's security advice, and unless the pay guy is above the tech guy, the tech guy should not listen to the pay guy's advice on how to fill out time sheets? Expertise = authority. Power to fire might appear to be authority, but it isn't. All having power means is that you expect respect. I've never had a problem telling a boss when they are wrong, but you can be sure I'm nice about it.

Re:First things first

Right. Precisely the kind of elitist attitude that accompanies the 'problem child' leaders that embody the described issue.

So find a way to point out to them, that by not following your orders, these three groups will 'decrease or eliminate' the leader's paycheck.

Clients
Board of Directors
Government

Have a company-wide meeting for the powerpoint, make sure everyone's there. Maybe a five-minute spiel just before the Christmas party.

Re:First things first

[nine-times]

The problem here is that, just because you don't have the authority to tell your boss to do something, that doesn't mean that you won't be held responsible. It's not fair, and it's not sensible, but it's true.

Unfortunately, a lot of people don't understand the problems that come from separating authority and responsibility.

Re:First things first

[Opportunist]

That's in a nutshell what is the problem here. You get hired as CISO only to find out that your spiffy CISO title means jack. I mean, besides getting the blame shifted on you, and you alone, when (not if, when) hell breaks lose.

If you want security, give your CISO the ability to enforce it. Else you're just looking for a scapegoat, and you could get that kind of person cheaper than for my salary. Besides, I won't sit and wait until it happens. Implement my rules and I take the blame if they fail. Then I fucked up and should be responsible for it. Or ignore my rules and I won't take responsibilty for anything. It's simple as that. But if you're only looking for the latter, take a trip to the unemployment office and get the first idiot that crosses your way. He's cheaper than me, and if you don't follow the security guidelines I lay out, he's pretty much as good as me. Just way cheaper.

Re:First things first

[Opportunist]

Whether or not telling a boss is a problem mainly depends on your ability to communicate (not only how but also when, it's NOT a good idea to tell your boss he's a tool when he's in a conference with customers) and also the boss' ability to deal with criticism.

You'd be surprised how many superiors take criticism of people they consider "beneath" them very poorly. Interestingly enough it never happened to me in the IT field (usually IT people know that they don't know everything and that there is always someone who has more experience in a certain field), but when dealing with commerce people you can run into a few brickheads that will take it like a personal insult when you gently and privately point out that they might have missed a substancial problem.

Re:First things first

[Opportunist]

You can have authority by proxy. I may not be able to fire someone who ignores security standards permanently, but I can inform someone who can fire him about the problem. If this person with authority acts accordingly (either gets the offending person to heed security standards or fires him), there is no problem.

A problem arises if the authority person considers the problem insignificant and ignores it, yet holds you responsible when (not if, I know, I repeat myself, but it's prone to happen eventually) a security problem arises due to this security leak.

Re:First things first

[wisty]

If you don't have authority over people, you can just lock the children down. That's annoying when people have work to do, but IT won't let anything happen.

My favorite point in the article was "Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles."

The IT in my shop refuses to let devs install programs (any programs) because the whole network is a production system. It can take weeks to get an SDK installed, because some IT admin has to get around to installing it. Could the devs get a dev network? Nah, it's easier to keep them working with access to the production network - which needs to be locked down because it is mission critical ... bastards.

Re:First things first

[_Sprocket_]

So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.

It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.

Re:First things first

Memorize, not just read...

Re:First things first

[ImABanker]

As an incompetent user of these systems, I am proud that my obstinacy and refusal to learn anything has led to IT best practices bending to me, rather than the other way around.

Re:First things first

I used to be the sysadmin for a high school, and I noticed that directly. Teachers violated every security best practice out there, and the principal's main goal was to keep the teachers "happy", which meant zero disciplining. I got laughed off the stage [literally] at a faculty meeting for discussing security. One teacher continuously complained to the principal because she had to hit Ctrl+Alt+Del every morning and type in her password.

Could the principal have eliminated their paychecks by having them fired? Yes. He could simply gather documentation, present it to the school board, and they'd be gone. Documentation of refusal to follow security procedures, especially over student and grade confidentiality, could easily be a terminable offense.

Expect a principal to actually do this? Of course not.

Re:First things first

[Trailwalker]

Authority does not come from below

Authority comes from anyone who is able, knowledgeable and willing to coerce and browbeat the incompetents he "reports" to.

You get all the authority you are willing to assume and fight for.

It helps if you enjoy torturing PHBs.

Re:First things first

[centuren]

Re-title your executive security memo to something along the lines of "Avoiding personal liability concerning security breaches through executive negligence." If an executive isn't interested in security measures, he or she (like a corporation as a whole) will be more likely to pay attention to what measures are needed to cover his or her own ass in the case of a breach.

Re:First things first

[Asic+Eng]

I asked my boss to read it. He said: "What do you want? We are doing all these things already."

Re:First things first

[Viree]

I'm sure if you ask them to, they will.

I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

Don't you think something is wrong here with the policy if no one is able to read through it, let alone embracing the policy it is trying to convey? I have long ago given up the idea of that company executives might be interested in reading any documents longer than 5 lines.

If the purpose is to raise awareness, instead of long-winded policy document which spans over 150 pages and 10 appendices, why not just create a series of short, to-the-point, funny (and witty) messages to be made available for reading while on the go?

I personally find posters with information security messages work best in areas like pantries, lifts, and yes, even washrooms.

Re:First things first

[Tom]

I'm sure if you ask them to, they will.

With management, it's not what is being asked, but who is asking.

So get the CEO on your side. Have him send out the policy with a friendly request to please read it and a just as friendly notice that he expects everyone to know these rules by next week.

Management will read it.

If not, you need a new CEO.

Re:First things first

[hesiod]

You get a Director to tell them that until they sign off on their acceptance of the policy, they have no access to [anything]

That worked here to a certain extent, but I guarantee many of the people still didn't read it except just to find the part where they sign their name so they can get back to playing Bejeweled.

Typo?

[Jack9]

Security:

* Focus on widgets, while omitting to consider the importance of maintaining accountability.

Can someone clarify?

Re:Typo?

Security:

* Focus on widgets, while omitting to consider the importance of maintaining accountability.

Can someone clarify?

You are your widget's keeper. Alles klar, Herr Kommissar?

Re:Typo?

[cromar]

Don't turn around!

Re:Typo?

[mpapet]

* Focus on widgets, while omitting to consider the importance of maintaining accountability.

This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.

Re:Typo?

[Gazzonyx]

If I'm reading it correctly, they mean;
"Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".

Re:Typo?

[Opportunist]

Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".

Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.

Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.

And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.

Re:Typo?

[anon+mouse-cow-aard]

how many meetings have I been in where someone would say... "why bother configuring a router as a firewall, just get a Cisco PIX and it's all set for you..." -- folks who think the device will give you security regardless of how it is used. We need an IDS, an IPS, a web-filter, a layer 7 filter, in-line, out-of-band, etc... meanwhile the entire corporate network is flat, wireless is bridged into the copper nets on many sites, and folks are using 'drowssap' to secure half the accounts, and systems are two or three years behind current patch levels. It doesn't matter what stuff you buy if you don't know what you are doing, and don't follow through on the basics first.

Re:Typo?

[cbiltcliffe]

Woh, oh, oh!

Re:Typo?

[quanticle]

In other words, "All the antivirus, firewalls, and intrusion detection systems in the world won't help, if you don't hold your users (and your admins) accountable for their actions."

Re:Typo?

[jonaskoelker]

a layer 7 filter

At my job, I'd like to have a layer 8 filter...

Re:Typo?

[Idiomatick]

That was weird seeing my password come up like that. I mean............ what kind of idiot would set his password to drowssap!

Re:Typo?

In Soviet Russia, layer 7 filters you!

well..

First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits

Re:well..

I'm an IT director, and I approve this message.

Except for that last sentence.

Re:well..

[couchslug]

"First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits."

I'll get with HR about creating a position, but you're SO hired!
If you bring a resume, make sure it's absorbent.

Find a way to get management to read it...

Just wait for the How To Suck At Information Security For Dummies edition.

Re:Find a way to get management to read it...

[Opportunist]

Rather, wait for the "Security for Power Users" edition. You don't think an exec would willingly put a "for dummies" book on his desk or, worse, onto his shelf where someone might see it?

Re:Find a way to get management to read it...

[TaoPhoenix]

Actually, they do.

It's a new kind of "hip prop", saying "haha, look at me I'm old because I've been too bsuy cutting deals to go to school for this stuff..."

Re:Find a way to get management to read it...

[Opportunist]

That new kind of exec didn't make it to my part of the planet yet. Here, every manager is too busy looking smart to actually learn anything.

Hey, that's OUR corporate policy !!1!

[Gothmolly]

I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.

This thing nails it.

Re:Hey, that's OUR corporate policy !!1!

Gothmolly wrote:

I work for $LARGE_US_BANK

Not for much longer...

Re:Hey, that's OUR corporate policy !!1!

[commodoresloat]

I hate that bank!! I lost $A_LOTTA_FUCKIN_MONEY in one of their ATM machines...

Re:Hey, that's OUR corporate policy !!1!

[sholsinger]

I work for $LARGE_US_DEFENSE_INSTALLATION where the policies are in place, nobody follows them, and the 2 guys that are in charge of risk and infosec are so overloaded with "password reset" requests that they can't even look at the performance of those policies. Furthermore, if they wanted to change something, they'd have to wait for a bi-weekly configuration control board meeting, where the four other division chiefs would quickly shut down any project they propose because it would be too much work. and their people already have too much on their plates, etc... you name it. Its happening there.

Re:Hey, that's OUR corporate policy !!1!

That was a slot machine, you imbecile!

How to suck?

[ScrewMaster]

Just work for the bank that holds my mortgage. Believe me, they suck when it comes to security.

Let people make their password "password"

[kbrasee]

I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".

Re:Let people make their password "password"

[painehope]

I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).

Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.

Re:Let people make their password "password"

[SirLurksAlot]

I'm surprised they didn't fire you after the first time. Most management types would see that as a threat and a violation of their security policy rather than a dedicated employee trying to make a point about security.

Re:Let people make their password "password"

[sakdoctor]

Hey! That's MY password you insensitive clod.
Well, now that you all know, I won't be held responsible for any trolling done on my account.

Re:Let people make their password "password"

[kbrasee]

I had a professor who ran a dictionary attack against all his students' accounts (just a dictionary attack + common mods, not a full bruteforce). We had to change it if it got cracked, and a lot of them did.

Re:Let people make their password "password"

[MoonBuggy]

The problem with many password rules is that you're often trading a moderately difficult technical attack for a fairly simple social attack.

It doesn't matter that your users have to chose a password that'd take 10^15 years to crack if 90% of them then have to keep it written on a post-it stuck to their monitor just to remember how to log in every morning.

Re:Let people make their password "password"

[Opportunist]

Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.

Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.

I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.

Re:Let people make their password "password"

[Larryish]

The information was likely passed on to him by a user.

Re:Let people make their password "password"

[painehope]

They didn't have any authority over me. I ran their clusters (data processing dept.), whereas IT was a separate department. Besides, I think a lot of people in IT were glad I did it. They didn't have any kind of password security policy, so people would make their passwords all kinds of silly shit, like their favorite color.

Re:Let people make their password "password"

[painehope]

It's pretty easy to write a dictionary generator in perl if you have a good dictionary file to start with. Just take the original, perform however many permutations on it that you'd like, and output to generate a fairly comprehensive dictionary.

Re:Let people make their password "password"

[painehope]

Amen, brother, amen.

That's why I pick a phrase that I remember (like "goingtohellanyways"), do alphanumeric substitution on it, and then shift a character or two around. That way you just need to remember the phrase, the substitution is automatic, and then an association of the numbers with the phrase (like "hey, it has four words in it, let's just shift every fourth character around").

The fact that I can remember this for multiple accounts at once just indicates how obsessive I am. Or neurotic.

Re:Let people make their password "password"

[painehope]

Hell, I did it just for fun.

But, then again, I didn't report to the people that would have potentially been pissed off (PHB's in IT), so the worst they could do was complain to my manager (who would have laughed them out of his office, he had the same ideas about security that I did).

Re:Let people make their password "password"

[painehope]

But, come to think of it, I did almost get canned from one job after being told do clean up a /home volume and implementing a script that sent warnings if a user had files of set X or used N amount of disk space (N = total/users).

And for a similar reason...the bosses were the ones using up all the shared disk space with presentations and other bullshit that they could have easily put somewhere else. Yeah, the same bosses who told me to make sure the disk space was available for job data that needed to be shared amongst users.

Re:Let people make their password "password"

[jonaskoelker]

It doesn't matter [...] if 90% of them then have to keep it written on a post-it

Actually, writing down your passwords and sticking the note in your wallet is not a bad idea. The only reason the post-it solution is bad is because it's on your monitor where it's open to abuse.

Re:Let people make their password "password"

[jjohnson]

FYI, "no" is not a synonym for "one" (or any other number).

Re:Let people make their password "password"

[Opportunist]

Thank you for the information. I guess my native language managed to influence my English again, I'll try to improve.

Re:Let people make their password "password"

HAHAHA DISREGARD THAT, I SUCK COCKS

Getting around the lameness filter by saying this would be a lot better if I was logged in as him.

Re:Let people make their password "password"

[slash.duncan]

If English is indeed a second language for you, perhaps this will help, as if I'm not mistaken it's the English direct parallel for what you intended.

"Not an hour later... Not a year later"

"Not a(n)" is commonly used to mean "less than a(n)", so "Less than an hour later... Less than a year later", which was the interpretation I took as it seemed to make sense in context.

Hope it's helpful. FWIW you're way ahead of me, as other than a few words here and there I only know English. But most of my life I've lived where English was a second language for far more than it was their first, and I've learned to appreciate and relish the differences both in accent and in way of thought. How boring life would be without that!

Anyway, if you'd like, let me know if I was right in how I read that, and if the explanation helped.

Re:Let people make their password "password"

[kbrasee]

Wow... those are by far the most strict password requirements I've ever heard. Too complicated and passwords become meaningless because they'll have to be written down. In situations like that, sentence passwords are the best bet – "I ate 1 chicken!" would satisfy just about any requirement anywhere, and it's pretty simple to recall. Still, wouldn't want to change it once a week though, LOL.

Re:Let people make their password "password"

...except that pickpocketing is a tradition as old as pockets themselves. If putting passwords in physical wallets (or PURSES) becomes standard practice in a business, the social engineers are going to have a field day.

"Hey, $username, we were going down to the $venue.atmosphere(loud|dark) to $recreate. Wanna come along? Be sure to bring your $personal_assets_receptacle !"

A little legerdemain and the domain's compromised. Let's not even get into the high-efficiency method:

"Hey, $username, want to come over to my place and $recreate.extra_opts(1) ?"

Re:Let people make their password "password"

[Opportunist]

Yes, that's pretty much what I wanted to express. Thanks for your aid.

Re:Let people make their password "password"

[lectrik1]

To add to that - people have been known to use the same password for every account thay have.

Where is slashdots list of mistakes?

[trust_jmh]

- Expecting others to have read the site linked.
- Expecting the site to dis Microsoft or to have to address this in a comment.

Re:Where is slashdots list of mistakes?

[kbrasee]

- Expecting others to have read the site linked.
- Expecting the site to dis Microsoft or to have to address this in a comment.

- kdawson.

Re:Where is slashdots list of mistakes?

[kbrasee]

- Expecting others to have read the site linked.
- Expecting the site to dis Microsoft or to have to address this in a comment.

- kdawson.

I kid, I kid... buddy???

Re:Where is slashdots list of mistakes?

[Jurily]

- Expecting the site to dis Microsoft or to have to address this in a comment.

We have a new Godwin. "In any slashdot discussion, the likelihood of dissing Microsoft approaches one."

Re:Where is slashdots list of mistakes?

[Neo+Quietus]

In any discussion? In any POST the likelihood of dissing Microsoft approaches one.

How to get management to read it.

[Alari]

> Now if I could only find a way to get management to read it.

Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.

Re:How to get management to read it.

[m95lah]

Wow: airing an idea about click-through EULAs on ./

Are you by any chance doing field trials for fireproof pants?

New topic on the theme

[TaoPhoenix]

I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.

Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)

Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."

Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."

Re:New topic on the theme

I once bought an off-lease laptop on eBay. The hard drive was supposed to have been formatted, which was fine with me. When it arrived, it still had the operating system, along with all of the former users files, and BG&E (a power company in the eastern U.S) propriatory software on it. I just wiped the hard drive, and installed my OS of choice, along with my own choice of software, and my own files.

Maybe there was nothing on that laptop that anyone could used against the former user, or BG&E (I didn't bother looking at any of the stuff), but this type of thing is pretty common, and ya never know.

For many years now if I sell or get rid of a system, the hard drive gets physically destroyed. Smashed, then melted into a puddle.

Re:New topic on the theme

[Blue23]

I know a company that was changing telco providers and sold all the old (locked) cell phones. Turns out there was no policy for wiping them. Who got company sales phones? Sales and Management. Who would be most likely to have numbers useful to others? Sales and Management.

It's just about everyone's policy.

[khasim]

Because most of the things in that list fall under "CYA" for the CxO's.

They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.

Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.

If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.

They have successfully covered their asses and their jobs are the only things that are secure.

Re:It's just about everyone's policy.

I don't get it. Security isn't like "egg-sexing" (determining the gender of unhatched eggs by feel) where no one knows how you do it, you get a recruit to watch you, then do it randomly while you correct them, and finally be able to sex chickens as well as you do. All the while no one knows (including you) how you do what you do.

Instead, it is a set of actions and processes we follow that can be described easily, simply. If someone knows the technologies and vocabulary, you can direct them over the phone.

With this in mind, why COULDN'T you have a set of checkboxes?

Re:It's just about everyone's policy.

[frenetic_wimp]

Sounds fun.

Re:It's just about everyone's policy.

[Aladrin]

Because technology changes all the time.

Sure, for the easy stuff, checkboxes work really well. The problems come when there's new technology, or hackers find a nice new way to tip the balance in their favor. Staying on top of security is a full time job in itself when you work for a large company.

On top of that, putting all the right rules in place doesn't mean a thing if you can't get your employees (including the bosses/owners) to follow it.

Finding potential attack vectors is a lot like egg-sexing. It involves a lot of logic and isn't something that can be taught on paper very well. But unlikely egg-sexing, not everyone can learn it. It takes an innate talent for logic and not everyone has it.

Re:It's just about everyone's policy.

[Culture20]

[CxOs] aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.

Instead, it is a set of actions and processes we follow that can be described easily, simply. If someone knows the technologies and vocabulary, you can direct them over the phone.
With this in mind, why COULDN'T you have a set of checkboxes?

Because delivering security isn't like delivering electricity; true security requires that the CEO/CFO/CIO actually _do_ things, and remember not to do other things, things that even the CIO doesn't want to be bothered with.

Re:It's just about everyone's policy.

[cbiltcliffe]

Because that leads to the mentality of:

"All our boxes are checked, therefore we are completely secure."

And then they sit on their ass until they get hacked, because they never think about all the checkboxes that aren't on the list, or have been added since it was compiled.

If you want to compile a checklist every day, sure, but that's a horribly inefficient way to do it.

Someone trying to break into your network doesn't give a crap about what you've done to secure it. They only care about the single thing that you've missed.

Re:It's just about everyone's policy.

[plover]

One good fix for much of this is the appointment of a CISO. By having someone who "gets it" at the top level, with a budget and a staff and the authority to wield them. It's also critical to have someone who can tell the other CxOs "the policy applies to everyone starting with us, because it won't work if we don't set the example. A failure of security at our level could cost us $x million per day."

I work for a $LARGE_US_CORPORATION and our CEO has to swipe his badge to get into the buildings, same as the rest of us. That's probably because the $10/hr rent-a-cops at the desk wouldn't recognize him if he threw a chair at them (no, not him.) Even if he's just playing along for show, I think it's important for the rest of us to see that he doesn't get a free pass.

Re:It's just about everyone's policy.

[treat]

I don't get it. Security isn't like "egg-sexing" (determining the gender of unhatched eggs by feel) where no one knows how you do it, you get a recruit to watch you, then do it randomly while you correct them, and finally be able to sex chickens as well as you do. All the while no one knows (including you) how you do what you do.

Instead, it is a set of actions and processes we follow that can be described easily, simply. If someone knows the technologies and vocabulary, you can direct them over the phone.

With this in mind, why COULDN'T you have a set of checkboxes?

You deliberately exclude checkboxes such as "There should not be a + in /etc/hosts.equiv". If it's a checklist, it has to be pretty specific, and there's room to flood it with insignificant trivia so that no one has time to read it all.

I am aware of one publicly traded financial company that has an audit group verify information security. This is done by writing a series of general guidelines, specific policies, and then basically by a checklist. The checklist might include significant detail instead of just a check in a box. For example, the whole /etc/sudoers.

If you have an application that accepts connections from perhaps a dozen internal applications without authentication, and allows them to engage in a transaction that involves real money, how do you handle a security audit? You tell the auditor exactly what's going on, and explain that to fix it you would have to figure out who's connecting, why they connect, what addresses they might connect from, maintain a list of users and modify the protocol to require the authentication data, and then force a dozen different application groups to modify their code to present authentication. The auditor has to really be the one to force those groups to make the changes. If it is an external auditor, you may need to remind them that they'll

The easiest solution for everyone involved, including and especially the auditor, is to make sure the checklist includes a whole lot of detail that does not touch upon the fact that there's just no authentication.

I've seen such detail as including /etc/passwd and /etc/shadow in an audit report but not mentioning that everyone knows the password to the most important system account.

Re:It's just about everyone's policy.

[Fulcrum+of+Evil]

If you have an application that accepts connections from perhaps a dozen internal applications without authentication, and allows them to engage in a transaction that involves real money, how do you handle a security audit? You tell the auditor exactly what's going on, and explain that to fix it you would have to figure out who's connecting, why they connect, what addresses they might connect from, maintain a list of users and modify the protocol to require the authentication data, and then force a dozen different application groups to modify their code to present authentication. The auditor has to really be the one to force those groups to make the changes.

If you're doing SOX auditing and you can't simply lock down the IP source, then they'll probably require that you get as far as a new protocol, then show progress towards abandoning the old one. Doesn't matter that it's hard - the idea is to determine whether you have proper controls, and for that app, you don't.

Re:It's just about everyone's policy.

[mgblst]

The Manager doesn't want to know about the intricacies of security, just as they don't want to know all about the website, network, water delivery, etc. That is your job. This seems obvious to me, but people who want to explain every little thing to there manager are so annoying and ignorant. As a manager, I can't be concerned with every little aspect of business, I look at the bigger picture.

Don't do background checks on new IT hires

[IvyKing]

We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

Re:Don't do background checks on new IT hires

[treat]

We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

That's not nearly as funny as places that do background checks *months* after an employee has started. That leads to really interesting situations, where newly valuable employees have to face the possibility of being fired. The decision is completely random and is partially based on an HR person's reading of a background check report that they do not really understand. The employee's boss can also help them out if they want (but not every time, it's basically random depending on how it looked in the database and whether that particular hr person and that particular boss have a good relationship or not).

The win was a programmer forced to work from home, deemed too dangerous to allow into the office.

The people learn fast.

[khasim]

They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.

_9%january
_9%february
_9%march

Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.

Re:The people learn fast.

[fuzzyfuzzyfungus]

On the plus side, if the users are doing whatever will get them past the scan, their accounts are now immune to dictionary attacks using a standard *nix cracking utility.

Hardly perfect, but it has its virtues.

Re:The people learn fast.

[Neoprofin]

Pardon, I broke the security intentionally when they instituted all sorts of requirements for the passwords. My original password was fine, but then they added that it must change every 30 days, well I hope they like easy to crack passwords.

1qaz!QAZ
2wsx@WSX
3edc#EDC
4rfv$RFV

They look great, but I guarantee that after one time watching me log everything is forever compromised. Good thing you didn't let me keep my easy (for me) to remember strong password.

Re:The people learn fast.

[Skater]

At work I have something like 15-18 passwords to deal with, all changeable every 60 days. I use four each day just to log in (although two of them are the same) to my machine. That doesn't include logging into up to three different servers all with different passwords. Add various company portals, document repositories, and web interfaces to things like my personnel data, and it's just too many passwords to remember.

Just about all of these are 60 day intervals, and of course they aren't changing at the same time.

Write them down? The temptation is incredible. I don't want to spend 15-20 minutes on the phone (mostly on hold, waiting for the next available representative) to reset my password every time I need to use a system that I haven't used in a couple weeks. And God help you if you forget your Lotus Notes password.

Re:The people learn fast.

[commodoresloat]

You're right -- these passwords are easy to crack, once you post them to slashdot.

Re:The people learn fast.

[Jurily]

Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

So, how does an outside attacker crack a password that is no longer valid?

Also, if you have a previous password, it cannot be brute-forced. You need a human on the other end to guess what the current password is.

Re:The people learn fast.

[catman]

I'm storing my passwords in kwallet on my Linux laptop. Sometimes I need a password reset on a Unix box that only I and one other guy ever use - and it takes AT LEAST 3 FRICKIN DAYS to get it done. Down, not across.

Re:The people learn fast.

[painehope]

Well, the point was to make sure that people didn't have easily cracked passwords. Not perfect ones. It was a stop-gap measure. And bear in mind this was almost ten years ago.

Anyone remember that quote that goes something along the lines of "every time we build an idiot-proof system, nature designs a better idiot"?

You can't make people smarter. You can only hit them with a stick when they do something stupid. Thankfully, you can program a stick above their heads.

Re:The people learn fast.

[LostCluster]

One quarterly password scheme I've heard of is to pick a city that has 4 major sports teams, and rotate through the year with the current team's name followed by the number of the year's season being played.

Re:The people learn fast.

[RoboRay]

A couple of years ago, I needed to access a Department of the Army system for my work. The password requirements included, I shit you not, alternating numbers and letters. A password including any two numbers or two letters in a row would not validate. They expected (I guess) people to use passwords like 5h8d3l7v.

Guess what my password was? 1q2w3e4r5t

I'm sure at least 50% of the users chose that same password.

Re:The people learn fast.

[cbiltcliffe]

Wouldn't it make more sense for security to use two different rows of keys?

Like:
1qaz@WSX

Would probably be harder for someone shoulder surfing to figure out exactly what it is you did, too.

Re:The people learn fast.

[edmazur]

Unless you're using Dvorak.

Re:The people learn fast.

[Neoprofin]

That's the point, I had a nice secure password that never would have caused them any problems, if they think the best way to get security is to force me to think up and remember a new password every 30 days then my solution is to become as insecure as possible to offset how incredibly annoyed I am.

If they catch on to that one I'll just put it on a post-it on my machine.

Re:The people learn fast.

[Neoprofin]

The jokes on you, I've already moved on to 5tgb%TGB!

Re:The people learn fast.

[cbiltcliffe]

Ah, you're trying to be an ass, because they're idiots. Got it.

But seriously...that's as insecure as you could get?

Maybe 1a1a1a1a would be a little more insecure.
Or 1a!A1a!A, if you need symbols in your passwords.
What are you minimum/maximum length restrictions?

You could always try "SÄ"cμÑ"Ñ-ïá 1$ ÃzÄ...ÐÅ£ÅY" if you really want to be obnoxious. Meets all requirements I've ever seen.

Upper case? Check.
Lower case? Check.
Numbers? Check.
Special chars? Check.
More than 8 characters? Check.

Of course, it would take you 10 minutes to type in, what with all the Alt+Num codes, but hey. They want security? They'll have to deal with your taking the time to log in.

Re:The people learn fast.

[cbiltcliffe]

Damn.

Stupid unicode that isn't.

That was supposed to say "Security is Pants", in all sorts of Greek, Arabic, and Cyrillic characters.

Re:The people learn fast.

[TaoPhoenix]

You're joking, but it just goes - embed your reminder in a wall o' noise and no one will care and still can't find it if they do.

Things like using your pizza gift card serial number backwards. Good news! You just replace it every month!
Who said Yum could only be a package manager? Now you can have a Yummy password!

Re:The people learn fast.

[Skater]

I should have mentioned that I recommended wallet software a couple years back during the annual IT survey. Nothing came of it, of course. So, many people have a list of passwords hanging at their desks. I don't know what the rest of the people do.

Re:The people learn fast.

[iNaya]

Yes, Slashdot still doesn't support a standard that is over 20 years old.

Re:The people learn fast.

[karnal]

No fair, you added an exclamation point to your password, breaking the sequence!

Re:The people learn fast.

[eihab]

That reminds me of a funny email about password rules that was going around, it went like this:

CORPORATE DIRECTIVE NUMBER 88-570471

In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

RULES FOR THE SELECTION OF PASSWORDS:

1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

Today?

That was a weak ago....

Re:Today?

[cp.tar]

This is Slashdot. Expect a dupe in a strong or two.

The Big Take-Away

[mpapet]

InfoSec in nearly all corporate environments breaks down into a couple of basic facts.

1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.

2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.

1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's circle it is always IT's fault.

Switch to Mac? Nope, too expensive. Besides, no one else in corporate culture uses Macs. Linux? What?? Weird people use it, not self-important execs like me. What do you mean there's no IE7? I can't possibly waste time on linkedin and facebook without IE7!!!

Re:The Big Take-Away

You miss the point of infosec. Infosec is about making the business aware of the risks of the systems they implement - it's the job of the business to build systems. Infosec are like a consultancy role.

If the business chooses to not run AV, and infosec say "There's a risk this will cost you about £1million 5 times a year", and the business still chooses not to do AV, then they can't blame anyone when they lose £5m a year to viruses. If something happens to affect service or customer data as the result of a security issue that infosec didn't point out, then that's entirely the fault of infosec.

Risk management is all it is. Businesses work with risk all the time, and infosec guys are just the experts in risk arising from IT security issues. The worst thing that could happen is for a bunch of IT guys to get together and say "Lets rotate passwords every 90 days" without (a) having any sort of business context or reason behind doing that and (b) any sort of concept about why that's required. It's guys like that who give infosec a bad name.

A few more.

-Expecting to attract new users with an ugly "Web 2.0" redesign.
-Expecting the new Digg-like metamoderation system to work.
-Expecting us to read excruciatingly lame Idle stories.

Responsibility without power is an ulcer

[Opportunist]

Power without responsibility, though, is a nightmare.

My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.

It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.

Believe it or not, this argument is way stronger than any increased security you could use as an argument.

At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.

Re:Responsibility without power is an ulcer

[Jurily]

At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.

Amen. CYA is the new national anthem.

Re:Responsibility without power is an ulcer

A friend and I used a similar definition. We'd talk of a grid with responsibility on one axis and authority/power on the other.

We called the 4 quadrants:

scapegoat - | - leader
------------------------
peon/staff - | - despot

In a perfect world, my ascii art would have the lower left as a zero, not as a minus value. Sigh. And I'll leave the trivial task of axes definition as an exercise for the reader; but like reading 'Death March', keeping this concept in mind has remained helpful over 20 years when looking at a career-shift or promotion or the likes. It also gave me added respect for life at the lower left corner. Whether calling these folks wage-slaves or toadies or more polite terms, they really don't get the stress that the other three spots simmer along in day after day.

Re:Responsibility without power is an ulcer

[growse]

Exactly. This hits the point. Information security guys don't need authority, because they shouldn't have any responsibility over the business. The business should be asking infosec for help on how to secure their systems, and the infosec guys should tell them the risks of implementing / not implementing controls.

If the business has a system that gets hacked because they chose not to implement a good password policy, despite being aware of the risk, then that's their own damn fault, not infosec's.

Yes

It's like I'm wearing nothing at all.
nothing at all.
nothing at all.

Re:Yes

[spartacus_prime]

Stupid sexy AC!

Big one missing

Rely on passwords for authentication.

Re:Big one missing

[growse]

Nothing wrong with passwords for authentication. Depends entirely on what you're trying to achieve with authentication on whether having only passwords is a good choice.

here's how to do it......

Put it on twitter...... They'll read it.

Getting management on board is critical

[an.echte.trilingue]

The management is everything.

I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.

Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.

For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.

I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.

God, I can't wait till I graduate.

Re:Getting management on board is critical

[Creepy+Crawler]

Too true. I've seen similar to what you say. However, in my education, it is not been book driven and learned in a scholastic setting. In fact, I have no degree to speak of.

First thing is, as you said, a sane security policy. 1 email acct, same login/passwd, security-unconscious snooping owner all causes these horrendous problems. However, I'd also highlight one very nasty catchup: licensure. I'm guessing that he (the owner) bought the machines piecemeal as he needed them. And he probably bought them from different outfits, no less.

One rogue user could turn them in to the Boy Sco^H^H^H^H^H^H^H BSA. Go look at that guitar string maker up north of us, here in Indiana. He went the Linux route with smart terminals from the old machines incapable of running Windows NewVersion. Still, he avoided, after being sued, from ever again allowing that kind of liability in their building again.

As per the snooping email: explain to him that hidden snooping will let him observe without alerting the user of being watched. On your side, create an account, and duplicate every users email settings into that account. Make it only receivable, and delete after 10 days (unless you have a beefy mailserver, which I doubt). I'd say it'd be stupid not to have a nice RAID1+0 server with 1-3 TB storage with Linux, admined via Webmin, but those things cost. I'd wait on that kind of proposal unless you can show immediate gain for him and his employees.

And on the desktop snooping end, install VNC (if you use windows) as a service and "ignore remote mouse/keyboard" so he can watch as he pleases with only very minimal lag seen on the user end. The linux side, if you can convince him to switch, is just as easy. It uses x11vnc and is a one-line command. If you're running KDE, you can make a script that shows a pretty dialog box, asks for computer (ip/name) and logs in via ssh. The linux one is by fair more secure, but requires switching.

And on the snooping, I'd also recommend DansGuardian so he can ban "bad sites", allow them for himself, and have a log of bad sites for each user. This could easily be used as a tool to remove bad employees, in that they violate a "No porn/gambling/auction" sites, it can selectively be enforced. Yes, I do consider a tool like that to be unethical, but he makes the hiring/firing decisions: not you. The more power you can land in his control, the better for you as you support it.

And the Stupid Admin issue: once you put that much control in his fingertips, he will not let it go. Explain to him that if it would be disasterous if his users got a hold on this power.. In essence, scare the bejezzus out of him. Trust me, it works.

Re:Getting management on board is critical

[thegrassyknowl]

For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

He doesn't need their email passwords to send email as them... all he needs is an open SMTP relay and a basic knowledge of his email settings. Of course I think he probably doesn't have that either.

Small business is all the same. I've colleagues who have been in similar scenarios at small companies.

I came from a company that was exactly the same. There was no IT security. The boss invited all his mates round on the weekends to thrash the high speed Internet connection and play games. They brought virus and spyware ridden Windows PCs in and just plugged them into the network. There wasn't a lot I could do about that. I made policy to stop him doing it, but he was the CEO and figured that policy doesn't apply to him. He wouldn't spring for a fully managed switch so I couldn't lock out unauthorized hardware addresses that way. You know what stopped it in the end? I turned off DHCP and put static IPs on all the machines in the building, including his laptop. Clueless enough that they couldn't figure it out.

This very same boss made it mandatory company policy to write your password down so he could access all your stuff. I ended up telling all the staff to not do that and all but one actually listened to me; until he threatened to fire everyone who didn't give him their password.

This was a company where the CEO was so paranoid about security, was totally clueless about how to get it but thought he knew everything (the most dangerous type of person) like most clueless users and completely ignored everything that I'd tell him about how to achieve it because he thought he knew better and it was also an inconvenience (like not being able to invite all his virus infected mates to work). Same CEO had a password that was the first one to come out of John... actually I've never seen a password come out in less than a minute before... until this guy.

Where I am now is better, but still not perfect. There's a lot of talk about putting half finished web application live on the Internet for all to see just so the customer can access it from wherever they are and show it off... security nightmare. I've got a bunch of Centos boxes that haven't been updated in months - nobody's even read the logs. I just picked up that mess to audit and patch. It's very slow going work.

And, like most corporations the people least able to make good decisions regarding IT/Engineering always rise to the top and those of us who are capable of making decisions are left sitting at the bottom "advising" and mostly being ignored by those who don't want to be inconvenienced by security. If you can find a company with a decent manager who is all about making GOOD decisions then stick with them.

Re:Getting management on board is critical

You are in a position where failure is guaranteed.

This failure will be blamed on you by exactly the man who's ignoring it.

He already thinks he's better at the jobs of everyone he's hired than they are; and has the right to subvert their autonomy and act as them at will.

Anything that happens positively in this environment will be credited to himself, and anything bad that happens will be blamed on whomever was assigned it.

Get Out Now. I wish I were joking. Leave while you are on good terms and can just say 'I found another opportunity'. Find any excuse that fits; just don't use lack of confidence as part of the excuse. Don't hint at future badness that may come. Just find a polite way to say that leaving the company now appears to be the best reason because:
You need to devote more time to study
You got another offer
You've been invited to help a doctoral fellow with important research
There's been a family emergency and you need to devote more time to them.

If you end up in contact with them in the future, then whichever option you chose above "just didn't pan out, and you decided to focus on GPA during the last semester / quarter / etc. rather than come back to their company, but you remember them fondly."

Preferably tell them a truthful reason you have to leave, like focusing on studies, because truth is always best. But this case is so bad, that I'd endorse a small lie to help save face.

Leave this week if you can.

Re:Getting management on board is critical

[swb]

They're all like that. Hubris, luck or whatever, these small business people assume they know everything.

At the end of the day, I could give a shit if they get hacked and the business suffers. It's really not my problem. They want to run their business their way and its their prerogative. I don't tell them who to extend credit to, which employees to keep or can, etc (although I do tell them if their coffee sucks).

I let them do whatever they want, but outline in writing why I think some things are a bad idea and make sure they get a copy and that I have reasonable proof they have seen my objections. In a couple of limited cases I've had to tell them either they do X differently or I won't support them if it stops working, or the support will be "scheduled" as opposed to drop-everything.

When I first started doing small biz consulting this drove me nuts, and I wanted to apply all the usual best practices, but it rubs most small biz owners wrong and in many cases just isn't economically viable (ie, nobody will pay for the hours necessary to do it right).

Re:Getting management on board is critical

What stunned me when I started working at a company who's name was probably written on the case of your PC when you got it was how much of the talk about security was lip service.
Accounts with the username for their password were the norm. Accounts with admin rights here.
Scripts with usernames and passwords written into them, again with admin rights.
God help them if anyone got a packet sniffer on the network.

These things weren't too bad on the boxes that security audited regularly but the rest...
There were enough nodes which, if compromised would have meant the whole network being compromised badly thanks to the earlier mentioned passwords in scripts.

I mentioned this to my supervisor but his attitude was that it would be a nightmare to fix and better to just be quiet and wait for security to point out problems.
I'm just on a short contract so it's not worth the trouble to go kicking up a fuss, I informed who I was supposed to and it's his choice now.

So as for advice- audit key systems regularly but make it so all systems are open for random snap security audits , try to make sure they happen at quiet times so as not to disrupt work too much. Make it worth money, you're going to find a few things that are imperfect on an audit but have small bonuses you can award to teams who's apps and servers are kept unusually secure and have some way of punishing really really crappy security. Otherwise there's no reason to be any more than good enough to not get fired.

Re:Getting management on board is critical

Break into their security and destroy half of everything five minutes after you are finished with that job. Then report them with poor handling of sensitive passwords. That should be fun and you get a line in your CV the likes of 'helped raise awareness for investing in good security practices at such and such agency'. You need some balls to pull it off but it can be done. In certain european countries (i.e. mine) they could be fined very heavily for not disabling your admin access the minute you are gone.

Get management onboard

[htwf_and_ip]

Now if I could only find a way to get management to read it.
Get it published in e-Week or some other "respected" trade publication.

Somewhat Easy Password Soulution

[scienceprogrammer]

"Expect your users to remember passwords without writing them down."

I cannot tell you how many people write down the password on their notepad (always left on the desk) or a sticky under the keyboard.
I always suggest using the first letters of a line from a song with a few numbers. St Peppers Loney Hearts Club Band 67, splhcb67 If you can't remmember a song you might want to stay home.
The admins don't really care either, they just don't want to reset passwords.
We even use a generic word for the type of work we do as a password for other companies websites. Like bank for a bank. It's pretty sad considering the damage that could be done. Money, reputation, and not to mention private research representing years of experiments.(not mine I just code)

Powerpoint

[kybred]

Pictures and bullet points. That's your way in. We all know management can't read.

Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.

Re:Powerpoint

[kasperd]

Be sure to use words like 'Synergism' and 'Paradigm'.

You don't need to use the paradigm word. Leveraging synergies is a win-win.

We use biometrics

Everyone has a Breathalyzer attached to their workstation. In order to access, you have to blow a BAC reading that is "typical" for each user.

Too low and it is a sure sign of a hangover. Too high is also no good.

10 year infosec vet

[Cally]

See these scars? Nimda. See this funny dent in my leg? NT4 SP5... this piece was so true it hurts.

Re:10 year infosec vet

I still have a nervous tick from Slammer...

Re:10 year infosec vet

[Cally]

I was working for a security consultancy by then. Our switchboard lit up as all the managed firewall customers called in complaining our firewalls had broken their network. It didn't take long to notice that half their systems were firehosing udp/1434 around their internal networks like punctured liquid gas cylinders bouncing around a burning factory... I'd like to think some people realised that having a firewall and anti-virus software doesn't mean you're secure - but I'd be a mug if I did.

Forgot one: Physical Security

[mergy]

"Assume all potential attacks will come across the network or internet and disregard direct physical access to the hardware"

Don't run a Cargo Cult

[Mutatis+Mutandis]

The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.

They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.

The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.

In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.

The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.

Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.

You forgot

[cyberfunkr]

You forgot the part where the Manager doesn't tell anyone about the theft for a few days while trying to cover it up.

A few days without IT being able to change passwords, watch for break-ins, etc.

Don't ask for security you won't use

At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.

So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.

Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.

I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.

And I'm sure my report was ignored by people who actually worked there.

Heh

[X.25]

I took a 4-5 year "break" from security (switched to other areas, kept 'in touch' with my first love ;), because it really turned into all these things mentioned in the article.

I'm now looking to come back, I can't even imagine how it's going to look like in corporate environment, but something tells me I'll be disappointed :(

None

But where I work if you don't follow policy you don't get to use the computer. We can't actually fire you, your boss will do that we he find you aren't doing any work.

Reverse psychology

[Cally]

Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.

Re:Reverse psychology

[Ihmhi]

As crazy as that sounds, it'd probably work.

"Oh, sir, uh... Linux is the operating system the CIA uses for their servers! Yes, servers, those huge, super-powerful computers we have in the basement. The part where it can play games is still in beta. You know, like Gmail? Yeah, like that. Not everything's finished yet! Let me call my buddy in Langley and I'll get back to you in a week or two."

Re:Reverse psychology

[supernova_hq]

Make sure you get some custom case mods for them. Even if it's just a cool looking sticker, it will make the PHB's feel special.

Re:Reverse psychology

[Cally]

Crazy? Actually, that's exactly what we've done where I work. We even called the "James Bond laptops" when pitching the idea to management. They lined up to be early adopter / beta testers. All our users now run as users, rather than local admin. (There's a lot more to it than that of course; check out the Microsoft XP security and hardening guide.

Re:Reverse psychology

[Cally]

Hey, that's a great idea; thanks! Make the status symbol /visible/...

Re:Reverse psychology

[Ihmhi]

I run a computer lab for a local nonprofit and I'd very much like to read that guide. Is it a book, or do you have a link? Exact title I could search Amazon for? etc.

It'd be much appreciated.

Re:Reverse psychology

[Cally]

• "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP"
• "Threats and Countermeasures Guide"

(Those might be the same doc, I'm not sure.) Poke around here for a bit and you'll find a lot of other useful docs and tools.

Re:Reverse psychology

[Ihmhi]

Thanks a bunch! I have a meeting with a bunch of IT froshes on Tuesday and they will all get copies of this to read.

Re:Reverse psychology

[Cally]

Happy to help. "We're all in it together, kid!" - Harry Tuttle :)

On the subject of passwords

[InfiniteLoopCounter]

I've wondered for a while why exactly it is a good approach to security to have passwords change frequently? Why not instead have everyone change their password every year or so and allow it to be something reasonably easy (>4 characters, maybe a number or special character in there as well).

My idea (I doubt I am the first to have it though) is that you would just only allow 1 log in attempt per 20 seconds or something and record when many log in attempts are being made (i.e. a brute force/dictionary attack). If there are many log in attempts, then ask the user to answer questions that only a human can answer (i.e. "1 0 - 2 = ?", "what color is the daytime sky?" before any more attempts can be made and restrict log in on the next attempt, for a limited time, to the address where the question(s) were answered correctly.

I'd like to know if there's some reason why this would be a bad setup from a security perspective.

Re:On the subject of passwords

It's not. It's a big misconception. Password rotation buys you very little in most circumstances, and costs you quite a lot in support calls (when people forget) and in potential breaches due to people writing their passwords down.

People who mandate password rotation everywhere generally don't understand risk management or information security, or in fact what they're talking about.

Re:On the subject of passwords

[lectrik1]

I believe the reason for having passwords change frequently is that even strong passwords can be cracked within a few months. By having people change their passwords every 75 days or so, it is thought that that is the timeframe in which their old password is on the verge of being cracked. Of course, their password may have been compromised within the first day. Instead of having a static password that must be changed every 90 days or so, I think it would be better to use a dynamic password that is changed every time the user logs on. The user can have a fob that has a random number that changes every 30 seconds. The password would consist of a static part that would not change and add the dynamic part that would be displayed on thier security fob at the time they want to log on. So the password could be 12 numbers long, consisting of 6 numbers that never change and 6 numbers that are only available for 30 seconds. The password protection should only be as strong as the information that needs to be protected is sensitive. I don't think a company would want to incur the expense of key fobs to protect an e-mail account, but they would want to use as much security as possible to protect sensitive proprietary data.

Re:On the subject of passwords

[Blue23]

I'll take a stab at the second part - it's the same reason Captchas are failing. Third world countries can pay pennies an hour to have a real person do something. So the "human answer" questions would just get echoed to someone doing 150 of them an hour from a large number of attacks.

Never underestimate laziness.

[an.echte.trilingue]

If it makes you feel any better, my degree is in International Relations. IT is one of those hobby turned vocation things.

Also, licensing is no longer an issue, although it once was. We are a 100% linux shop except for the accountant and the graphic artist, who have some software requirements that linux does not meet (btw, if anybody knows of a drop in linux replacement for winbooks that would be really helpful; I'm willing to pay).

Anyway, for the boss it really is not about snooping, its about laziness. The stmp password reset was a result of him wanting to be able to log in without having to remember a password. He sends email from other people's accounts because it is easier than having them auto-forward when they leave for a day. It is not just email, he does it with our other systems as well, notably our client management db and the vacancy tracker for our student accommodation.

Oh, and trust me, the fear thing doesn't work for everybody. I already worked that angle, but laziness takes precedence every time.

Re:Never underestimate laziness.

[Creepy+Crawler]

Yuck. That 3rd party specialized niche software... WinBooks. Im sure it's the same with Adobe Photoshop CS3 for the artist, right?

Most likely, it's a non-functioning within Wine. Your best bet would be, for Winbooks, is to just keep it. Instead though of running Windows on bare metal, run it within VirtualBox so that it can be compartmentalized. That's the best you can expect.

The best overall solution would be to find a vendor with similar software that runs natively on Linux or another target Unix, but good luck.

If I were you, I'd just keep things as they were: the users on Linux, accountant on Windows, and graphical artist on Windows/Mac. It sucks, having to support all of them, but that's the breaks. Good luck.

Re:Never underestimate laziness.

[SpzToid]

If you have a cheap router on the dd-wrt supported list, you could VLAN the ethernet segment used by your boss, to minimize risk to that segment. It might also provide useful for an 'I told you so' moment later, if he was segmented away somehow.

Also, what about setting this guy up with a thumb drive scanner, as a more secure method of password entry than now? Certain HP notebooks have this built on the right side.

If you can't run Winbooks under WINE in something like Ubuntu, then you can try running Windows and WinBooks in a virtual machine, (Possibly across the network, from an 'application' server) and both VMware and Virtual Box have a feature that makes The Windows OS disappear, while the Winbooks is available as a regular Gnome menu item. (Never tried it myself). VMware calls this feature Unity.

Thank you for your military service.

Re:Never underestimate laziness.

[SpzToid]

Lotus Notes has a feature called mail delegation. It's commonly used by secretaries managing mail for their boss. Lotus Notes might be too big a change, but seemingly this feature exists in other groupware products too.

Here's the first article I could find discussing this feature in Evolution. http://library.gnome.org/users/evolution/stable/exchange-settings.html.en

You sent passwords out in the clear

[apparently]

I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users

Good thing you showed them good security practices by sending out passwords in the clear. I don't follow how the notice made sure that they "*had*" to change the password; it would seem that ignoring the notice would work just as well.

Re:You sent passwords out in the clear

[painehope]

Let's see - it's 2009 and someone still thinks that "security by obscurity" is a good thing? Please. Not when any user could run "ypcat -k passwd > /tmp/file.out" from any system and then run a cracker against it.

No more or less secure than letting a crappy password sit there. Probably more secure, actually, since we at least kept Sendmail patched. Plus the fact that now someone (the IT dept.) knew that user X had a shitty password.

Re:30 days

[TaoPhoenix]

Yea, this one is true.

It's a little sneaky though. People go gung ho the first four months, because "we're being more secure".

Then some six months in it all starts to blur, and people wipe out.

"What was my password this month... was it xQlaTira? or that other one, YumNioxica? Aw hell, let's just reset it to my cat's name."

Re:Pseudo passwords

[TaoPhoenix]

Great tip! I'll remember those!

Maybe I can return the favor.

I have promoted some takedown of the "fear mentality" that's crept up lately. When we had this discussion once at work, I said "We're just not that interesting for the world class guys. You guys *watched* me log in and you don't recall my password. It's fine."

While yours is visually too easy, a mnemonic pattern is a great source of passwords that are elemtarily robust to cold attacks. If someone in the glass office decides it's worth going hyper about it, get one of those pass-cards with the synched changing password you just look at and type. Oh right - then you have to manage those.

Re:First things first is Cyclic Passwords

Well password length, complexity and 30 day expiration is enforced by Windows.
There is also a policy enforced by Windows that one cant use the last 13 passwords.

So what do humans do? Well, when their favorite password expires, they sit there and guess what?
Yep! They change their password 13 times in a row to get back to their original password they are
supposed to change! Hmmm, abc+1, abc+2, abc+3..... abc+13, abc Yep, now I've changed it.

So what did security do when they found out? They set up a policy where the password can only be changed
once for that day.

The user could change it everyday for the next 13 days, but... that means its almost the end of the month again
and I'll have to change it again. So why bother, just conform to the policy.

How to "get management to read it"

[Doghouse+Riley]

Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

Wait 24-48 hours.

Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

You'll get your eyeballs.

Obviously not to be overused - I've done this three times in a 20+ year career.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Denial of Responsibility

[drolli]

Usually lack of information security goes hand in hand with organizational structures which developed highly formalized ways to shuffle around responsibility. I work in such a structure. The result is that as long as "some measures are taken" after "an incident" it's ok. However, arguing before an incident about problems is seen as "creating additional trouble".

Bad security is better than no security?

[Zerelli]

That seems to be the motto here where I work. Supposedly, we are audited by a partner but I amazed that we have not had a major breach of security yet. Default admin password on all the windows images used for desktops, no complex password requirement, passwords changed on a phone call with no challenge to the person's identity, and the list goes on. I have reported each thing I have found but no one responds, so I am officially just waiting to watch the train wreck at this point.

Re:Pseudo passwords

[Fulcrum+of+Evil]

hen we had this discussion once at work, I said "We're just not that interesting for the world class guys. You guys *watched* me log in and you don't recall my password. It's fine."

Passwords aren't everything. Anyway, you don't have to be interesting, just convenient, and crap security means that one of those vulnerability scanning bots will find your network, exploit it, and install something nasty. I'm sure none of the millions of botnet members on cable modems are all that interesting either.

reads like DOE security policy

[LazLong]

Reads like Lawrence Livermore National Lab's approach to computer security, word for word, idea for idea. There, management worries only about "optics," implementing the most simple policies that appear on the surface to the uninitiated to provide some modicum of security. For them security is all about _appearing_ to be in compliance with minimum requirements as quickly and cheaply as possible, rather than do the hard work of implement secure systems that meet both the letter and the _intent_ of the regulations.

Some of the U.S.'s most sensitive nuclear weapons information is protected by chimps. Literally, former secretaries and janitors who moved over to IT for a pay boost. They are hired because they had already received security clearances to hold their previous non-IT related non-technical positions and could quickly and easily be hired into vacant positions that are difficult to fill with qualified individuals hired from the "outside" - meaning from non-government backgrounds. These monkeys have little or no aptitude for IT, and as much relevant education and training. They are hired because management has no respect for IT as a profession and think any moron can do the work. Their philosophy is that it's better to fill the position with an unskilled/untrained individual with a clearance than hire someone with the proper credentials that will wait a year for their security clearance to come through. It has been repeatedly suggested to make attempts at analyzing normal turnover, anticipate hiring requirements, and keep qualified individuals with good IT backgrounds in the security clearance pipeline. These people can be used to fill positions/provide services that don't require a clearance while waiting for the security clearance process to complete. Meanwhile LLNL receives the services of a truly qualified individual, and that individual has time to learn the ropes of operating in a government environment. (During this break-in period the individuals will probably need extra care and feeding to prevent them from fleeing the institution once they realize what they have gotten themselves into....)

What it really boils down to is that we need to hold government accountable and demand the same level of competence and performance that one sees in successful private enterprise endeavors.

How to Win Friends and Influence People

Here is a book that you may want to read:

http://en.wikipedia.org/wiki/How_to_win_friends_and_influence_people/

There are chapters dedicated to "getting your way" without the need of authority.

Re:First things first is Cyclic Passwords

[hesiod]

Well password length, complexity and 30 day expiration is enforced by Windows.

30 days? Holy hell, that's crazy. You must be working with national security secrets, have very few people, your employees are geniuses, or you are resetting passwords constantly, because that would be incredibly irritating and entirely unnecessary.

FTFA:

[Don't] Require your users to change passwords too frequently.

My 'favorite' secure workplace

Ah, it was fun. Security was either insane or lax, depending on context.

Password: 5 different subsystems, 5 different password selection criteria. I just adapted to the hardest one and then set all my other passwords to that. Still had to write it down. New password every 28 days, 8 characters or more, at least one nonalphanumeric, mixed case, no dictionary words ANYWHERE. So 7F!n@1iT fails because it contains "it", and is thus vulnerable to a dictionary attack. (Clever programming indeed.)

File security - okay, until someone screwed up and some of the HR data was dumped in the public network share. I told my supervisor about it, as per security policy, and he ordered me to pretend it never happened and tell no one. Deciding this was completely ludicrous, I walked over to the head of a department whose employee evaluations were visible and said "Hey, you know all your employee evaluations are on the public share?" She marched me to the IT guys and had me point it out to them. Best part? One of her charges - who was notorious for her critical opinion of people - was afraid to go into the parking lot alone for weeks afterward. Apparently what she said about her subordinates behind their backs was orders of magnitude worse than her already-harsh comments to their faces.

Building security: Passes, guards, etc. And the air pressure in the building in the summer was high enough that the unguarded one-way fire doors were all slightly ajar and could be opened from the outside with a good yank. That set off the alarm, but the alarm went off randomly due to the ajar doors anyway....

I know a guy

[duckInferno]

I know a guy whose workplace has instituted an ...interesting password policy.

#1 Eight characters only. No more, no less.
#2 No more than 2 instances of the same character.
#3 Has to contain at least one numeric digit.

It's an extreme example, but the more you try and regulate what passwords people can use, the smaller the pool is.

Oh and

[duckInferno]

After trying to use a pile of secure passwords and getting them refused by the policy, he gave up and jokingly entered 'qwerty123'.

It worked.

He used that password until it expired 3 months later and changed it to 'querty124'.