Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

4 of 198 comments (clear)

  1. First things first by NotPeteMcCabe · · Score: 5, Funny

    "Now if I could only find a way to get management to read it."

    I'm sure if you ask them to, they will.

    1. Re:First things first by syousef · · Score: 5, Funny

      I'm sure if you ask them to, they will.

      I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

      --
      These posts express my own personal views, not those of my employer
    2. Re:First things first by Opportunist · · Score: 5, Funny

      Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:

      IT-Security guy: Here, please read these guidelines.
      Manager: Why? What's that?
      ITS: Security guidelines and rules to increase our security performance.
      M: Hand it to my secretary.
      ITS: It's critical that everyone reads them, knows about them and adheres...
      M: I said, hand it to my secretary!
      ITS: But you, too, have to...
      M: I have to go to a meeting now.

      Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. How to "get management to read it" by Doghouse+Riley · · Score: 5, Funny

    Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

    Wait 24-48 hours.

    Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

    You'll get your eyeballs.

    Obviously not to be overused - I've done this three times in a 20+ year career.