Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

30 of 198 comments (clear)

  1. First things first by NotPeteMcCabe · · Score: 5, Funny

    "Now if I could only find a way to get management to read it."

    I'm sure if you ask them to, they will.

    1. Re:First things first by syousef · · Score: 5, Funny

      I'm sure if you ask them to, they will.

      I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

      --
      These posts express my own personal views, not those of my employer
    2. Re:First things first by Opportunist · · Score: 5, Funny

      Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:

      IT-Security guy: Here, please read these guidelines.
      Manager: Why? What's that?
      ITS: Security guidelines and rules to increase our security performance.
      M: Hand it to my secretary.
      ITS: It's critical that everyone reads them, knows about them and adheres...
      M: I said, hand it to my secretary!
      ITS: But you, too, have to...
      M: I have to go to a meeting now.

      Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:First things first by owlnation · · Score: 2, Funny

      "Now if I could only find a way to get management to read it."

      Pictures and bullet points. That's your way in. We all know management can't read.

    4. Re:First things first by _Sprocket_ · · Score: 4, Funny

      So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.

      It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.

  2. well.. by Anonymous Coward · · Score: 3, Funny

    First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits

    1. Re:well.. by Anonymous Coward · · Score: 1, Funny

      I'm an IT director, and I approve this message.

      Except for that last sentence.

    2. Re:well.. by couchslug · · Score: 2, Funny

      "First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits."

      I'll get with HR about creating a position, but you're SO hired!
      If you bring a resume, make sure it's absorbent.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  3. Find a way to get management to read it... by Anonymous Coward · · Score: 1, Funny

    Just wait for the How To Suck At Information Security For Dummies edition.

  4. Let people make their password "password" by kbrasee · · Score: 3, Funny

    I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".

    1. Re:Let people make their password "password" by sakdoctor · · Score: 2, Funny

      Hey! That's MY password you insensitive clod.
      Well, now that you all know, I won't be held responsible for any trolling done on my account.

  5. Where is slashdots list of mistakes? by trust_jmh · · Score: 2, Funny

    - Expecting others to have read the site linked.
    - Expecting the site to dis Microsoft or to have to address this in a comment.

  6. How to get management to read it. by Alari · · Score: 2, Funny

    > Now if I could only find a way to get management to read it.

    Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.

    --
    I use Windows... like a two dollar wh.. why don't I just go ahead and not finish that sentence.
  7. Don't do background checks on new IT hires by IvyKing · · Score: 4, Funny

    We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

    1. Re:Don't do background checks on new IT hires by treat · · Score: 2, Funny

      We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

      That's not nearly as funny as places that do background checks *months* after an employee has started. That leads to really interesting situations, where newly valuable employees have to face the possibility of being fired. The decision is completely random and is partially based on an HR person's reading of a background check report that they do not really understand. The employee's boss can also help them out if they want (but not every time, it's basically random depending on how it looked in the database and whether that particular hr person and that particular boss have a good relationship or not).

      The win was a programmer forced to work from home, deemed too dangerous to allow into the office.

  8. The Big Take-Away by mpapet · · Score: 2, Funny

    InfoSec in nearly all corporate environments breaks down into a couple of basic facts.

    1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.

    2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.

    1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's circle it is always IT's fault.

    Switch to Mac? Nope, too expensive. Besides, no one else in corporate culture uses Macs. Linux? What?? Weird people use it, not self-important execs like me. What do you mean there's no IE7? I can't possibly waste time on linkedin and facebook without IE7!!!

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  9. Yes by Anonymous Coward · · Score: 2, Funny

    It's like I'm wearing nothing at all.
    nothing at all.
    nothing at all.

  10. here's how to do it...... by Anonymous Coward · · Score: 1, Funny

    Put it on twitter...... They'll read it.

  11. Re:Hey, that's OUR corporate policy !!1! by Anonymous Coward · · Score: 1, Funny

    Gothmolly wrote:

    I work for $LARGE_US_BANK

    Not for much longer...

  12. Re:Hey, that's OUR corporate policy !!1! by commodoresloat · · Score: 2, Funny

    I hate that bank!! I lost $A_LOTTA_FUCKIN_MONEY in one of their ATM machines...

  13. Get management onboard by htwf_and_ip · · Score: 1, Funny

    Now if I could only find a way to get management to read it.
    Get it published in e-Week or some other "respected" trade publication.

  14. Re:The people learn fast. by commodoresloat · · Score: 3, Funny

    You're right -- these passwords are easy to crack, once you post them to slashdot.

  15. Powerpoint by kybred · · Score: 4, Funny

    Pictures and bullet points. That's your way in. We all know management can't read.

    Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.

  16. 10 year infosec vet by Cally · · Score: 2, Funny

    See these scars? Nimda. See this funny dent in my leg? NT4 SP5... this piece was so true it hurts.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  17. Don't ask for security you won't use by Anonymous Coward · · Score: 2, Funny

    At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.

    So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.

    Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.

    I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.

    And I'm sure my report was ignored by people who actually worked there.

  18. Re:Typo? by jonaskoelker · · Score: 3, Funny

    a layer 7 filter

    At my job, I'd like to have a layer 8 filter...

  19. Reverse psychology by Cally · · Score: 4, Funny

    Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  20. Re:The people learn fast. by Neoprofin · · Score: 4, Funny

    The jokes on you, I've already moved on to 5tgb%TGB!

  21. How to "get management to read it" by Doghouse+Riley · · Score: 5, Funny

    Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

    Wait 24-48 hours.

    Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

    You'll get your eyeballs.

    Obviously not to be overused - I've done this three times in a 20+ year career.

  22. Re:The people learn fast. by eihab · · Score: 2, Funny

    That reminds me of a funny email about password rules that was going around, it went like this:

    CORPORATE DIRECTIVE NUMBER 88-570471

    In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

    RULES FOR THE SELECTION OF PASSWORDS:

    1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

    2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

    3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

    4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

    5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

    6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

    7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

    Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

    --
    If you can't mod them join them.