How To Suck At Information Security 198
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
First things first (Score:5, Funny)
I'm sure if you ask them to, they will.
well.. (Score:3, Funny)
Find a way to get management to read it... (Score:1, Funny)
Just wait for the How To Suck At Information Security For Dummies edition.
Let people make their password "password" (Score:3, Funny)
Where is slashdots list of mistakes? (Score:2, Funny)
- Expecting the site to dis Microsoft or to have to address this in a comment.
How to get management to read it. (Score:2, Funny)
> Now if I could only find a way to get management to read it.
Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.
Don't do background checks on new IT hires (Score:5, Funny)
Re:well.. (Score:1, Funny)
I'm an IT director, and I approve this message.
Except for that last sentence.
Re:Let people make their password "password" (Score:3, Funny)
Hey! That's MY password you insensitive clod.
Well, now that you all know, I won't be held responsible for any trolling done on my account.
Re:First things first (Score:5, Funny)
I'm sure if you ask them to, they will.
I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.
The Big Take-Away (Score:2, Funny)
InfoSec in nearly all corporate environments breaks down into a couple of basic facts.
1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.
2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.
1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's circle it is always IT's fault.
Switch to Mac? Nope, too expensive. Besides, no one else in corporate culture uses Macs. Linux? What?? Weird people use it, not self-important execs like me. What do you mean there's no IE7? I can't possibly waste time on linkedin and facebook without IE7!!!
Yes (Score:2, Funny)
It's like I'm wearing nothing at all.
nothing at all.
nothing at all.
Re:First things first (Score:5, Funny)
Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:
IT-Security guy: Here, please read these guidelines.
Manager: Why? What's that?
ITS: Security guidelines and rules to increase our security performance.
M: Hand it to my secretary.
ITS: It's critical that everyone reads them, knows about them and adheres...
M: I said, hand it to my secretary!
ITS: But you, too, have to...
M: I have to go to a meeting now.
Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...
here's how to do it...... (Score:1, Funny)
Put it on twitter...... They'll read it.
Re:First things first (Score:3, Funny)
Pictures and bullet points. That's your way in. We all know management can't read.
Re:Hey, that's OUR corporate policy !!1! (Score:1, Funny)
Gothmolly wrote:
Not for much longer...
Re:Hey, that's OUR corporate policy !!1! (Score:3, Funny)
I hate that bank!! I lost $A_LOTTA_FUCKIN_MONEY in one of their ATM machines...
Get management onboard (Score:1, Funny)
Get it published in e-Week or some other "respected" trade publication.
Re:The people learn fast. (Score:4, Funny)
You're right -- these passwords are easy to crack, once you post them to slashdot.
Powerpoint (Score:5, Funny)
Pictures and bullet points. That's your way in. We all know management can't read.
Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.
10 year infosec vet (Score:3, Funny)
Re:well.. (Score:3, Funny)
"First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits."
I'll get with HR about creating a position, but you're SO hired!
If you bring a resume, make sure it's absorbent.
Don't ask for security you won't use (Score:2, Funny)
At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.
So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.
Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.
I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.
And I'm sure my report was ignored by people who actually worked there.
Re:Typo? (Score:4, Funny)
a layer 7 filter
At my job, I'd like to have a layer 8 filter...
Reverse psychology (Score:5, Funny)
Re:Don't do background checks on new IT hires (Score:3, Funny)
We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
That's not nearly as funny as places that do background checks *months* after an employee has started. That leads to really interesting situations, where newly valuable employees have to face the possibility of being fired. The decision is completely random and is partially based on an HR person's reading of a background check report that they do not really understand. The employee's boss can also help them out if they want (but not every time, it's basically random depending on how it looked in the database and whether that particular hr person and that particular boss have a good relationship or not).
The win was a programmer forced to work from home, deemed too dangerous to allow into the office.
Re:The people learn fast. (Score:5, Funny)
Re:First things first (Score:5, Funny)
So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.
It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.
How to "get management to read it" (Score:5, Funny)
Wait 24-48 hours.
Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.
You'll get your eyeballs.
Obviously not to be overused - I've done this three times in a 20+ year career.
Re:The people learn fast. (Score:3, Funny)
That reminds me of a funny email about password rules that was going around, it went like this:
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.