Slashdot Mirror
How To Suck At Information Security
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
"Now if I could only find a way to get management to read it."
I'm sure if you ask them to, they will.
Security:
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
Can someone clarify?
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits
I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.
This thing nails it.
I want to delete my account but Slashdot doesn't allow it.
I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".
- Expecting others to have read the site linked.
- Expecting the site to dis Microsoft or to have to address this in a comment.
> Now if I could only find a way to get management to read it.
Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.
I use Windows... like a two dollar wh.. why don't I just go ahead and not finish that sentence.
I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.
Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)
Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."
Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Because most of the things in that list fall under "CYA" for the CxO's.
They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.
If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.
They have successfully covered their asses and their jobs are the only things that are secure.
We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.
_9%january
_9%february
_9%march
Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.
People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.
InfoSec in nearly all corporate environments breaks down into a couple of basic facts.
1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.
2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.
1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's circle it is always IT's fault.
Switch to Mac? Nope, too expensive. Besides, no one else in corporate culture uses Macs. Linux? What?? Weird people use it, not self-important execs like me. What do you mean there's no IE7? I can't possibly waste time on linkedin and facebook without IE7!!!
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Power without responsibility, though, is a nightmare.
My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.
It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.
Believe it or not, this argument is way stronger than any increased security you could use as an argument.
At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's like I'm wearing nothing at all.
nothing at all.
nothing at all.
The management is everything.
I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.
Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.
I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.
God, I can't wait till I graduate.
weirdest thing I ever saw: scientology advertising on slashdot.
Pictures and bullet points. That's your way in. We all know management can't read.
Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.
See these scars? Nimda. See this funny dent in my leg? NT4 SP5... this piece was so true it hurts.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
"Assume all potential attacks will come across the network or internet and disregard direct physical access to the hardware"
The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.
They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.
The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.
In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.
The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.
Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.
You forgot the part where the Manager doesn't tell anyone about the theft for a few days while trying to cover it up.
A few days without IT being able to change passwords, watch for break-ins, etc.
At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.
So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.
Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.
I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.
And I'm sure my report was ignored by people who actually worked there.
Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
If it makes you feel any better, my degree is in International Relations. IT is one of those hobby turned vocation things.
Also, licensing is no longer an issue, although it once was. We are a 100% linux shop except for the accountant and the graphic artist, who have some software requirements that linux does not meet (btw, if anybody knows of a drop in linux replacement for winbooks that would be really helpful; I'm willing to pay).
Anyway, for the boss it really is not about snooping, its about laziness. The stmp password reset was a result of him wanting to be able to log in without having to remember a password. He sends email from other people's accounts because it is easier than having them auto-forward when they leave for a day. It is not just email, he does it with our other systems as well, notably our client management db and the vacancy tracker for our student accommodation.
Oh, and trust me, the fear thing doesn't work for everybody. I already worked that angle, but laziness takes precedence every time.
weirdest thing I ever saw: scientology advertising on slashdot.
Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.
Wait 24-48 hours.
Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.
You'll get your eyeballs.
Obviously not to be overused - I've done this three times in a 20+ year career.