Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

6 of 198 comments (clear)

  1. Hey, that's OUR corporate policy !!1! by Gothmolly · · Score: 5, Interesting

    I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.

    This thing nails it.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Hey, that's OUR corporate policy !!1! by sholsinger · · Score: 5, Interesting

      I work for $LARGE_US_DEFENSE_INSTALLATION where the policies are in place, nobody follows them, and the 2 guys that are in charge of risk and infosec are so overloaded with "password reset" requests that they can't even look at the performance of those policies. Furthermore, if they wanted to change something, they'd have to wait for a bi-weekly configuration control board meeting, where the four other division chiefs would quickly shut down any project they propose because it would be too much work. and their people already have too much on their plates, etc... you name it. Its happening there.

  2. Re:Let people make their password "password" by painehope · · Score: 4, Interesting

    I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).

    Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.

    --
    PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
  3. The people learn fast. by khasim · · Score: 4, Interesting

    They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.

    _9%january
    _9%february
    _9%march

    Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

    People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.

  4. Re:Typo? by Gazzonyx · · Score: 4, Interesting

    If I'm reading it correctly, they mean;
    "Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  5. Re:Let people make their password "password" by Opportunist · · Score: 4, Interesting

    Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.

    Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.

    I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.