Slashdot Mirror
How To Suck At Information Security
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
"Now if I could only find a way to get management to read it."
I'm sure if you ask them to, they will.
I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.
This thing nails it.
I want to delete my account but Slashdot doesn't allow it.
Because most of the things in that list fall under "CYA" for the CxO's.
They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.
If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.
They have successfully covered their asses and their jobs are the only things that are secure.
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
The management is everything.
I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.
Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.
I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.
God, I can't wait till I graduate.
weirdest thing I ever saw: scientology advertising on slashdot.
Send out your IT security analysis (or whatever) with a large, clearly labeled cover page to all the members of management, with a bunch of extra copies to pass out to their assistants.
Wait 24-48 hours.
Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.
You'll get your eyeballs.
Obviously not to be overused - I've done this three times in a 20+ year career.