Slashdot Mirror
How To Suck At Information Security
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
"Now if I could only find a way to get management to read it."
I'm sure if you ask them to, they will.
I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.
This thing nails it.
I want to delete my account but Slashdot doesn't allow it.
I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).
Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Because most of the things in that list fall under "CYA" for the CxO's.
They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.
If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.
They have successfully covered their asses and their jobs are the only things that are secure.
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.
_9%january
_9%february
_9%march
Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.
People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.
If I'm reading it correctly, they mean;
"Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Power without responsibility, though, is a nightmare.
My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.
It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.
Believe it or not, this argument is way stronger than any increased security you could use as an argument.
At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The management is everything.
I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.
Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.
I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.
God, I can't wait till I graduate.
weirdest thing I ever saw: scientology advertising on slashdot.
Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".
Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.
Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.
And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem with many password rules is that you're often trading a moderately difficult technical attack for a fairly simple social attack.
It doesn't matter that your users have to chose a password that'd take 10^15 years to crack if 90% of them then have to keep it written on a post-it stuck to their monitor just to remember how to log in every morning.
Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.
Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.
I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Pictures and bullet points. That's your way in. We all know management can't read.
Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.
how many meetings have I been in where someone would say... "why bother configuring a router as a firewall, just get a Cisco PIX and it's all set for you..." -- folks who think the device will give you security regardless of how it is used. We need an IDS, an IPS, a web-filter, a layer 7 filter, in-line, out-of-band, etc... meanwhile the entire corporate network is flat, wireless is bridged into the copper nets on many sites, and folks are using 'drowssap' to secure half the accounts, and systems are two or three years behind current patch levels. It doesn't matter what stuff you buy if you don't know what you are doing, and don't follow through on the basics first.
The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.
They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.
The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.
In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.
The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.
Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.
Ladies and gentlemen of the board, as you know this mighty corporation is under constant attacks by Dr Evil, SMERSH, the KGB and the Illuminati. I am now at liberty to reveal to you that we have been contacted by the Secret Service, sworn to secrecy, and issued with specially secured, James Bond laptops. Now there's only a few of these super-elite systems to go around, and only the most important people can be allowed the privilege of one of the Super Secure Laptops. So, I'll leave the room now, and you can draw lots to see which of you will have to put up with one of the standard, normal, Windows-based laptops... and who merits inclusion on the Hyper Secure System Program, and gets a 007 laptop.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.
Wait 24-48 hours.
Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.
You'll get your eyeballs.
Obviously not to be overused - I've done this three times in a 20+ year career.