Shrinking Budgets Tie Hands of Security Pros

An anonymous reader writes "RSA Conference released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts."

Can't budget for human stupidity

[oahazmatt]

We have a very paranoid security department where I work. On top of boot-level encryption, mandatory anti-virus software, various "agents" that try to predict whether or not you would in fact allow some strange program to do what it wants to do, system monitors that make sure everything is up to date and as it should be before you connect to the network, proxies that ban websites with harmful keywords and annoying pop-ups caused by blocking Active-X components, we still get several people throughout the week who report virus infections on their work PCs.

We have people who install Firefox to get around the IE settings so they can visit sites that they know are not permitted. We have people who browse torrent sites and adult sites and are "shocked" when we show them the links in the history. We've had people who blatantly admit "Yeah, I let my kids play on my company issued PC and they find ways around that stuff."

Maybe that's why the security budgets get cut. You can only secure so much until you secure it by locking out the user entirely.

Re:Can't budget for human stupidity

This is retarded. Why don't they just whitelist the applications, ActiveX controls, etc. that you are allowed to run. Then they don't need to worry about users (or websites) installing random bits of software. Windows has supported this for a decade.

Re:Can't budget for human stupidity

[MrLogic17]

I have mod points, but had to chime in.

This is VERY easy to solve. Don't let your users have admin level accounts. Done.
You will never see virus/mailware installs - because even if users do open up that strangely named attachment, their account doesn't have permissions to install. Ditto for the manager's kids.

Solves a lot of support headaches too. Thee only software they have is software that you've tested, approved, and installed yourself. (via the software deployment method of your choice)

Again, this is all dependedent on getting mamager buy-in. Once you do, life gets very easy.

simple things can be done...

[Raleel]

I have seen a lot of places that insist on buying a "solution" to the problem, when in fact the solution barely touches the problem. it works around a lot of things, but never really hits right on it. So you've spent a lot of money on something that doesn't really do the job of a person in that role.

The funny part about security is that for all it's sex appeal, real security is actually pretty boring. Oh the hotness of configuration management using tools that are already available on the windows or linux box. How your endorphins get moving at the sight of a patched on patch day. Or the sheer porn of being able to look at your log files and know that all is good.

We all love honeypots and whatnot, but those things need to come well after patching, configuration management, removing/pruning user administrative permissions, and controlling which software you allow, and strong authentication enforcement. This doesn't have to cost a lot of money.