Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Suck At Information Security

Posted by kdawson on from the words-to-the-wise dept.

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

42 of 198 comments (clear)

  1. First things first by NotPeteMcCabe · · Score: 5, Funny

    "Now if I could only find a way to get management to read it."

    I'm sure if you ask them to, they will.

    1. Re:First things first by syousef · · Score: 5, Funny

      I'm sure if you ask them to, they will.

      I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.

      --
      These posts express my own personal views, not those of my employer
    2. Re:First things first by Opportunist · · Score: 5, Funny

      Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:

      IT-Security guy: Here, please read these guidelines.
      Manager: Why? What's that?
      ITS: Security guidelines and rules to increase our security performance.
      M: Hand it to my secretary.
      ITS: It's critical that everyone reads them, knows about them and adheres...
      M: I said, hand it to my secretary!
      ITS: But you, too, have to...
      M: I have to go to a meeting now.

      Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:First things first by fishbowl · · Score: 5, Insightful

      So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me. Authority does not come from below, and it's that simple. Get authority (promotion, getting an authoritative position in the first place, etc.) or start a business. But don't expect, *ever*, to have anyone follow your orders if you aren't in a position to decrease or eliminate their paycheck. And don't act like this is hard to understand, because it isn't.

      --
      -fb Everything not expressly forbidden is now mandatory.
    4. Re:First things first by Stormwatch · · Score: 4, Insightful

      Indeed! A boss, act rationally according to the information presented, rather than act according to ranks in the ape troop hierarchy? INCONCEIVABLE!

      --
      Circumcision is child abuse.
    5. Re:First things first by V!NCENT · · Score: 3, Informative

      Indeed! A team of IT admins should just lay down a system that doesn't allow it to be used otherwise. Just encrypt all information on any device and computer and give the boss the password on a piece of paper. Make sure all newly bought IT devices passes through the IT department before it gets into anyones hands in order to 'prepare all technology for safe and secure use'. Take care of the rest of all the problems the same way. Now get some superior/boss to allow you to set up an IT helpdesk 'in order to increase effiency and security and speed up the problem solving process'. After that's done you'll inform the IT helpdesk personell of everything they need to know on how to 'help users in fixing computer issues' *cough*how to change their password so they can login again after four months*cough*.

      If you feel so smart and intelligent then find a smart and intelligent way of dealing with 'dumb' issues.

      --
      Here be signatures
    6. Re:First things first by Epistax · · Score: 3, Interesting

      That doesn't make sense. Unless the tech guy is above the pay guy, the pay guy should not listen to the tech's security advice, and unless the pay guy is above the tech guy, the tech guy should not listen to the pay guy's advice on how to fill out time sheets? Expertise = authority. Power to fire might appear to be authority, but it isn't. All having power means is that you expect respect. I've never had a problem telling a boss when they are wrong, but you can be sure I'm nice about it.

    7. Re:First things first by Opportunist · · Score: 3, Insightful

      That's in a nutshell what is the problem here. You get hired as CISO only to find out that your spiffy CISO title means jack. I mean, besides getting the blame shifted on you, and you alone, when (not if, when) hell breaks lose.

      If you want security, give your CISO the ability to enforce it. Else you're just looking for a scapegoat, and you could get that kind of person cheaper than for my salary. Besides, I won't sit and wait until it happens. Implement my rules and I take the blame if they fail. Then I fucked up and should be responsible for it. Or ignore my rules and I won't take responsibilty for anything. It's simple as that. But if you're only looking for the latter, take a trip to the unemployment office and get the first idiot that crosses your way. He's cheaper than me, and if you don't follow the security guidelines I lay out, he's pretty much as good as me. Just way cheaper.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:First things first by _Sprocket_ · · Score: 4, Funny

      So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.

      It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.

    9. Re:First things first by centuren · · Score: 3, Insightful

      Re-title your executive security memo to something along the lines of "Avoiding personal liability concerning security breaches through executive negligence." If an executive isn't interested in security measures, he or she (like a corporation as a whole) will be more likely to pay attention to what measures are needed to cover his or her own ass in the case of a breach.

  2. well.. by Anonymous Coward · · Score: 3, Funny

    First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits

  3. Hey, that's OUR corporate policy !!1! by Gothmolly · · Score: 5, Interesting

    I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.

    This thing nails it.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Hey, that's OUR corporate policy !!1! by sholsinger · · Score: 5, Interesting

      I work for $LARGE_US_DEFENSE_INSTALLATION where the policies are in place, nobody follows them, and the 2 guys that are in charge of risk and infosec are so overloaded with "password reset" requests that they can't even look at the performance of those policies. Furthermore, if they wanted to change something, they'd have to wait for a bi-weekly configuration control board meeting, where the four other division chiefs would quickly shut down any project they propose because it would be too much work. and their people already have too much on their plates, etc... you name it. Its happening there.

  4. Let people make their password "password" by kbrasee · · Score: 3, Funny

    I know a guy who worked at a place where the system saved passwords as plaintext. So I guess that's the first mistake. He did a query, and 75% of the passwords were in fact "password".

    1. Re:Let people make their password "password" by painehope · · Score: 4, Interesting

      I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).

      Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.

      --
      PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
    2. Re:Let people make their password "password" by SirLurksAlot · · Score: 3, Interesting

      I'm surprised they didn't fire you after the first time. Most management types would see that as a threat and a violation of their security policy rather than a dedicated employee trying to make a point about security.

      --
      God, schmod. I want my monkey man!
    3. Re:Let people make their password "password" by MoonBuggy · · Score: 4, Insightful

      The problem with many password rules is that you're often trading a moderately difficult technical attack for a fairly simple social attack.

      It doesn't matter that your users have to chose a password that'd take 10^15 years to crack if 90% of them then have to keep it written on a post-it stuck to their monitor just to remember how to log in every morning.

    4. Re:Let people make their password "password" by Opportunist · · Score: 4, Interesting

      Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.

      Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.

      I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. New topic on the theme by TaoPhoenix · · Score: 3, Insightful

    I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.

    Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)

    Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."

    Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  6. It's just about everyone's policy. by khasim · · Score: 5, Insightful

    Because most of the things in that list fall under "CYA" for the CxO's.

    They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.

    Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.

    If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.

    They have successfully covered their asses and their jobs are the only things that are secure.

    1. Re:It's just about everyone's policy. by cbiltcliffe · · Score: 3, Insightful

      Because that leads to the mentality of:

      "All our boxes are checked, therefore we are completely secure."

      And then they sit on their ass until they get hacked, because they never think about all the checkboxes that aren't on the list, or have been added since it was compiled.

      If you want to compile a checklist every day, sure, but that's a horribly inefficient way to do it.

      Someone trying to break into your network doesn't give a crap about what you've done to secure it. They only care about the single thing that you've missed.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
  7. Re:Typo? by mpapet · · Score: 5, Informative

    * Focus on widgets, while omitting to consider the importance of maintaining accountability.

    This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  8. Don't do background checks on new IT hires by IvyKing · · Score: 4, Funny

    We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.

  9. The people learn fast. by khasim · · Score: 4, Interesting

    They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.

    _9%january
    _9%february
    _9%march

    Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.

    People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.

    1. Re:The people learn fast. by fuzzyfuzzyfungus · · Score: 4, Insightful

      On the plus side, if the users are doing whatever will get them past the scan, their accounts are now immune to dictionary attacks using a standard *nix cracking utility.

      Hardly perfect, but it has its virtues.

    2. Re:The people learn fast. by Neoprofin · · Score: 4, Insightful

      Pardon, I broke the security intentionally when they instituted all sorts of requirements for the passwords. My original password was fine, but then they added that it must change every 30 days, well I hope they like easy to crack passwords.

      1qaz!QAZ
      2wsx@WSX
      3edc#EDC
      4rfv$RFV

      They look great, but I guarantee that after one time watching me log everything is forever compromised. Good thing you didn't let me keep my easy (for me) to remember strong password.

    3. Re:The people learn fast. by commodoresloat · · Score: 3, Funny

      You're right -- these passwords are easy to crack, once you post them to slashdot.

    4. Re:The people learn fast. by Neoprofin · · Score: 4, Funny

      The jokes on you, I've already moved on to 5tgb%TGB!

  10. Re:Typo? by Gazzonyx · · Score: 4, Interesting

    If I'm reading it correctly, they mean;
    "Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  11. Responsibility without power is an ulcer by Opportunist · · Score: 4, Insightful

    Power without responsibility, though, is a nightmare.

    My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.

    It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.

    Believe it or not, this argument is way stronger than any increased security you could use as an argument.

    At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Getting management on board is critical by an.echte.trilingue · · Score: 5, Insightful

    The management is everything.

    I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.

    Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.

    For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.

    Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.

    I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.

    God, I can't wait till I graduate.

    --
    weirdest thing I ever saw: scientology advertising on slashdot.
    1. Re:Getting management on board is critical by Creepy+Crawler · · Score: 3, Interesting

      Too true. I've seen similar to what you say. However, in my education, it is not been book driven and learned in a scholastic setting. In fact, I have no degree to speak of.

      First thing is, as you said, a sane security policy. 1 email acct, same login/passwd, security-unconscious snooping owner all causes these horrendous problems. However, I'd also highlight one very nasty catchup: licensure. I'm guessing that he (the owner) bought the machines piecemeal as he needed them. And he probably bought them from different outfits, no less.

      One rogue user could turn them in to the Boy Sco^H^H^H^H^H^H^H BSA. Go look at that guitar string maker up north of us, here in Indiana. He went the Linux route with smart terminals from the old machines incapable of running Windows NewVersion. Still, he avoided, after being sued, from ever again allowing that kind of liability in their building again.

      As per the snooping email: explain to him that hidden snooping will let him observe without alerting the user of being watched. On your side, create an account, and duplicate every users email settings into that account. Make it only receivable, and delete after 10 days (unless you have a beefy mailserver, which I doubt). I'd say it'd be stupid not to have a nice RAID1+0 server with 1-3 TB storage with Linux, admined via Webmin, but those things cost. I'd wait on that kind of proposal unless you can show immediate gain for him and his employees.

      And on the desktop snooping end, install VNC (if you use windows) as a service and "ignore remote mouse/keyboard" so he can watch as he pleases with only very minimal lag seen on the user end. The linux side, if you can convince him to switch, is just as easy. It uses x11vnc and is a one-line command. If you're running KDE, you can make a script that shows a pretty dialog box, asks for computer (ip/name) and logs in via ssh. The linux one is by fair more secure, but requires switching.

      And on the snooping, I'd also recommend DansGuardian so he can ban "bad sites", allow them for himself, and have a log of bad sites for each user. This could easily be used as a tool to remove bad employees, in that they violate a "No porn/gambling/auction" sites, it can selectively be enforced. Yes, I do consider a tool like that to be unethical, but he makes the hiring/firing decisions: not you. The more power you can land in his control, the better for you as you support it.

      And the Stupid Admin issue: once you put that much control in his fingertips, he will not let it go. Explain to him that if it would be disasterous if his users got a hold on this power.. In essence, scare the bejezzus out of him. Trust me, it works.

      --
  13. Re:Typo? by Opportunist · · Score: 4, Insightful

    Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".

    Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.

    Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.

    And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Powerpoint by kybred · · Score: 4, Funny

    Pictures and bullet points. That's your way in. We all know management can't read.

    Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.

  15. Re:Typo? by anon+mouse-cow-aard · · Score: 4, Insightful

    how many meetings have I been in where someone would say... "why bother configuring a router as a firewall, just get a Cisco PIX and it's all set for you..." -- folks who think the device will give you security regardless of how it is used. We need an IDS, an IPS, a web-filter, a layer 7 filter, in-line, out-of-band, etc... meanwhile the entire corporate network is flat, wireless is bridged into the copper nets on many sites, and folks are using 'drowssap' to secure half the accounts, and systems are two or three years behind current patch levels. It doesn't matter what stuff you buy if you don't know what you are doing, and don't follow through on the basics first.

  16. Forgot one: Physical Security by mergy · · Score: 3, Insightful

    "Assume all potential attacks will come across the network or internet and disregard direct physical access to the hardware"

  17. Don't run a Cargo Cult by Mutatis+Mutandis · · Score: 4, Insightful

    The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.

    They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.

    The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.

    In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.

    The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.

    Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.

  18. You forgot by cyberfunkr · · Score: 3, Insightful

    You forgot the part where the Manager doesn't tell anyone about the theft for a few days while trying to cover it up.

    A few days without IT being able to change passwords, watch for break-ins, etc.

  19. Re:Typo? by jonaskoelker · · Score: 3, Funny

    a layer 7 filter

    At my job, I'd like to have a layer 8 filter...

  20. Reverse psychology by Cally · · Score: 4, Funny

    Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  21. How to "get management to read it" by Doghouse+Riley · · Score: 5, Funny

    Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.

    Wait 24-48 hours.

    Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.

    You'll get your eyeballs.

    Obviously not to be overused - I've done this three times in a 20+ year career.

  22. Re:Never underestimate laziness. by SpzToid · · Score: 3, Insightful

    If you have a cheap router on the dd-wrt supported list, you could VLAN the ethernet segment used by your boss, to minimize risk to that segment. It might also provide useful for an 'I told you so' moment later, if he was segmented away somehow.

    Also, what about setting this guy up with a thumb drive scanner, as a more secure method of password entry than now? Certain HP notebooks have this built on the right side.

    If you can't run Winbooks under WINE in something like Ubuntu, then you can try running Windows and WinBooks in a virtual machine, (Possibly across the network, from an 'application' server) and both VMware and Virtual Box have a feature that makes The Windows OS disappear, while the Winbooks is available as a regular Gnome menu item. (Never tried it myself). VMware calls this feature Unity.

    Thank you for your military service.

    --
    You can't be ahead of the curve, if you're stuck in a loop.