How To Suck At Information Security

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on Saturday January 17, 2009 @07:22AM from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

13 of 198 comments (clear)

Min score:

Reason:

Sort:

First things first by NotPeteMcCabe · 2009-01-17 07:24 · Score: 5, Funny

"Now if I could only find a way to get management to read it."

I'm sure if you ask them to, they will.
1. Re:First things first by syousef · 2009-01-17 07:52 · Score: 5, Funny
  
  I'm sure if you ask them to, they will.
  I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.
  
  --
  These posts express my own personal views, not those of my employer
2. Re:First things first by Opportunist · 2009-01-17 08:17 · Score: 5, Funny
  
  Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:
  IT-Security guy: Here, please read these guidelines.
  Manager: Why? What's that?
  ITS: Security guidelines and rules to increase our security performance.
  M: Hand it to my secretary.
  ITS: It's critical that everyone reads them, knows about them and adheres...
  M: I said, hand it to my secretary!
  ITS: But you, too, have to...
  M: I have to go to a meeting now.
  Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:First things first by _Sprocket_ · 2009-01-17 13:57 · Score: 4, Funny
  
  So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.
  It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.
well.. by Anonymous Coward · 2009-01-17 07:26 · Score: 3, Funny

First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits
Let people make their password "password" by kbrasee · 2009-01-17 07:31 · Score: 3, Funny

I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".
Don't do background checks on new IT hires by IvyKing · 2009-01-17 07:48 · Score: 4, Funny

We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
Re:The people learn fast. by commodoresloat · 2009-01-17 08:48 · Score: 3, Funny

You're right -- these passwords are easy to crack, once you post them to slashdot.
Powerpoint by kybred · 2009-01-17 08:51 · Score: 4, Funny

Pictures and bullet points. That's your way in. We all know management can't read.
Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.
Re:Typo? by jonaskoelker · 2009-01-17 10:43 · Score: 3, Funny

a layer 7 filter
At my job, I'd like to have a layer 8 filter...
Reverse psychology by Cally · 2009-01-17 10:56 · Score: 4, Funny

Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.

--
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Re:The people learn fast. by Neoprofin · 2009-01-17 12:29 · Score: 4, Funny

The jokes on you, I've already moved on to 5tgb%TGB!
How to "get management to read it" by Doghouse+Riley · 2009-01-17 15:33 · Score: 5, Funny

Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

Wait 24-48 hours.

Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

You'll get your eyeballs.

Obviously not to be overused - I've done this three times in a 20+ year career.