Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

4 of 198 comments (clear)

  1. Typo? by Jack9 · · Score: 2, Informative

    Security:

    * Focus on widgets, while omitting to consider the importance of maintaining accountability.

    Can someone clarify?

    --

    Often wrong but never in doubt.
    I am Jack9.
    Everyone knows me.
    1. Re:Typo? by mpapet · · Score: 5, Informative

      * Focus on widgets, while omitting to consider the importance of maintaining accountability.

      This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.

      --
      http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  2. Re:How to get management to read it. by m95lah · · Score: 2, Informative

    Wow: airing an idea about click-through EULAs on ./

    Are you by any chance doing field trials for fireproof pants?

  3. Re:First things first by V!NCENT · · Score: 3, Informative

    Indeed! A team of IT admins should just lay down a system that doesn't allow it to be used otherwise. Just encrypt all information on any device and computer and give the boss the password on a piece of paper. Make sure all newly bought IT devices passes through the IT department before it gets into anyones hands in order to 'prepare all technology for safe and secure use'. Take care of the rest of all the problems the same way. Now get some superior/boss to allow you to set up an IT helpdesk 'in order to increase effiency and security and speed up the problem solving process'. After that's done you'll inform the IT helpdesk personell of everything they need to know on how to 'help users in fixing computer issues' *cough*how to change their password so they can login again after four months*cough*.

    If you feel so smart and intelligent then find a smart and intelligent way of dealing with 'dumb' issues.

    --
    Here be signatures