How To Suck At Information Security

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

First things first

[NotPeteMcCabe]

"Now if I could only find a way to get management to read it."

I'm sure if you ask them to, they will.

Re:First things first

[syousef]

I'm sure if you ask them to, they will.

I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

Re:First things first

[Opportunist]

Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:

IT-Security guy: Here, please read these guidelines.
Manager: Why? What's that?
ITS: Security guidelines and rules to increase our security performance.
M: Hand it to my secretary.
ITS: It's critical that everyone reads them, knows about them and adheres...
M: I said, hand it to my secretary!
ITS: But you, too, have to...
M: I have to go to a meeting now.

Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...

Re:First things first

[_Sprocket_]

So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.

It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.

Don't do background checks on new IT hires

[IvyKing]

We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

Powerpoint

[kybred]

Pictures and bullet points. That's your way in. We all know management can't read.

Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.

Reverse psychology

[Cally]

Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.

Re:The people learn fast.

[Neoprofin]

The jokes on you, I've already moved on to 5tgb%TGB!

How to "get management to read it"

[Doghouse+Riley]

Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

Wait 24-48 hours.

Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

You'll get your eyeballs.

Obviously not to be overused - I've done this three times in a 20+ year career.