How To Suck At Information Security

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

It's just about everyone's policy.

[khasim]

Because most of the things in that list fall under "CYA" for the CxO's.

They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.

Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.

If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.

They have successfully covered their asses and their jobs are the only things that are secure.

Getting management on board is critical

[an.echte.trilingue]

The management is everything.

I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.

Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.

For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.

I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.

God, I can't wait till I graduate.

Re:First things first

[fishbowl]

So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me. Authority does not come from below, and it's that simple. Get authority (promotion, getting an authoritative position in the first place, etc.) or start a business. But don't expect, *ever*, to have anyone follow your orders if you aren't in a position to decrease or eliminate their paycheck. And don't act like this is hard to understand, because it isn't.