How To Suck At Information Security 198
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
New topic on the theme (Score:4, Insightful)
I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.
Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)
Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."
Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."
It's just about everyone's policy. (Score:5, Insightful)
Because most of the things in that list fall under "CYA" for the CxO's.
They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.
If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.
They have successfully covered their asses and their jobs are the only things that are secure.
Re:The people learn fast. (Score:5, Insightful)
Hardly perfect, but it has its virtues.
A few more. (Score:1, Insightful)
-Expecting to attract new users with an ugly "Web 2.0" redesign.
-Expecting the new Digg-like metamoderation system to work.
-Expecting us to read excruciatingly lame Idle stories.
Responsibility without power is an ulcer (Score:5, Insightful)
Power without responsibility, though, is a nightmare.
My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.
It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.
Believe it or not, this argument is way stronger than any increased security you could use as an argument.
At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.
Re:The people learn fast. (Score:5, Insightful)
1qaz!QAZ
2wsx@WSX
3edc#EDC
4rfv$RFV
They look great, but I guarantee that after one time watching me log everything is forever compromised. Good thing you didn't let me keep my easy (for me) to remember strong password.
Getting management on board is critical (Score:5, Insightful)
I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.
Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.
I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.
God, I can't wait till I graduate.
Re:Typo? (Score:5, Insightful)
Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".
Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.
Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.
And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.
Comment removed (Score:5, Insightful)
Re:First things first (Score:5, Insightful)
So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me. Authority does not come from below, and it's that simple. Get authority (promotion, getting an authoritative position in the first place, etc.) or start a business. But don't expect, *ever*, to have anyone follow your orders if you aren't in a position to decrease or eliminate their paycheck. And don't act like this is hard to understand, because it isn't.
Re:Typo? (Score:5, Insightful)
Forgot one: Physical Security (Score:3, Insightful)
Re:It's just about everyone's policy. (Score:4, Insightful)
Because that leads to the mentality of:
"All our boxes are checked, therefore we are completely secure."
And then they sit on their ass until they get hacked, because they never think about all the checkboxes that aren't on the list, or have been added since it was compiled.
If you want to compile a checklist every day, sure, but that's a horribly inefficient way to do it.
Someone trying to break into your network doesn't give a crap about what you've done to secure it. They only care about the single thing that you've missed.
Re:First things first (Score:5, Insightful)
Don't run a Cargo Cult (Score:5, Insightful)
The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.
They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.
The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.
In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.
The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.
Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.
You forgot (Score:3, Insightful)
You forgot the part where the Manager doesn't tell anyone about the theft for a few days while trying to cover it up.
A few days without IT being able to change passwords, watch for break-ins, etc.
Re:Let people make their password "password" (Score:3, Insightful)
It doesn't matter [...] if 90% of them then have to keep it written on a post-it
Actually, writing down your passwords and sticking the note in your wallet is not a bad idea. The only reason the post-it solution is bad is because it's on your monitor where it's open to abuse.
Re:First things first (Score:3, Insightful)
...Just encrypt all information on any device and computer and give the boss the password on a piece of paper...
And he'll promptly stuff that piece of paper in his laptop bag only to be stolen at the next airport.
People are insecure.
Re:Getting management on board is critical (Score:2, Insightful)
You are in a position where failure is guaranteed.
This failure will be blamed on you by exactly the man who's ignoring it.
He already thinks he's better at the jobs of everyone he's hired than they are; and has the right to subvert their autonomy and act as them at will.
Anything that happens positively in this environment will be credited to himself, and anything bad that happens will be blamed on whomever was assigned it.
Get Out Now. I wish I were joking. Leave while you are on good terms and can just say 'I found another opportunity'. Find any excuse that fits; just don't use lack of confidence as part of the excuse. Don't hint at future badness that may come. Just find a polite way to say that leaving the company now appears to be the best reason because:
You need to devote more time to study
You got another offer
You've been invited to help a doctoral fellow with important research
There's been a family emergency and you need to devote more time to them.
If you end up in contact with them in the future, then whichever option you chose above "just didn't pan out, and you decided to focus on GPA during the last semester / quarter / etc. rather than come back to their company, but you remember them fondly."
Preferably tell them a truthful reason you have to leave, like focusing on studies, because truth is always best. But this case is so bad, that I'd endorse a small lie to help save face.
Leave this week if you can.
Re:First things first (Score:4, Insightful)
That's in a nutshell what is the problem here. You get hired as CISO only to find out that your spiffy CISO title means jack. I mean, besides getting the blame shifted on you, and you alone, when (not if, when) hell breaks lose.
If you want security, give your CISO the ability to enforce it. Else you're just looking for a scapegoat, and you could get that kind of person cheaper than for my salary. Besides, I won't sit and wait until it happens. Implement my rules and I take the blame if they fail. Then I fucked up and should be responsible for it. Or ignore my rules and I won't take responsibilty for anything. It's simple as that. But if you're only looking for the latter, take a trip to the unemployment office and get the first idiot that crosses your way. He's cheaper than me, and if you don't follow the security guidelines I lay out, he's pretty much as good as me. Just way cheaper.
Re:Never underestimate laziness. (Score:3, Insightful)
If you have a cheap router on the dd-wrt supported list, you could VLAN the ethernet segment used by your boss, to minimize risk to that segment. It might also provide useful for an 'I told you so' moment later, if he was segmented away somehow.
Also, what about setting this guy up with a thumb drive scanner, as a more secure method of password entry than now? Certain HP notebooks have this built on the right side.
If you can't run Winbooks under WINE in something like Ubuntu, then you can try running Windows and WinBooks in a virtual machine, (Possibly across the network, from an 'application' server) and both VMware and Virtual Box have a feature that makes The Windows OS disappear, while the Winbooks is available as a regular Gnome menu item. (Never tried it myself). VMware calls this feature Unity.
Thank you for your military service.
Re:Let people make their password "password" (Score:1, Insightful)
...except that pickpocketing is a tradition as old as pockets themselves. If putting passwords in physical wallets (or PURSES) becomes standard practice in a business, the social engineers are going to have a field day.
"Hey, $username, we were going down to the $venue.atmosphere(loud|dark) to $recreate. Wanna come along? Be sure to bring your $personal_assets_receptacle !"
A little legerdemain and the domain's compromised. Let's not even get into the high-efficiency method:
"Hey, $username, want to come over to my place and $recreate.extra_opts(1) ?"
Re:First things first (Score:4, Insightful)
Re-title your executive security memo to something along the lines of "Avoiding personal liability concerning security breaches through executive negligence." If an executive isn't interested in security measures, he or she (like a corporation as a whole) will be more likely to pay attention to what measures are needed to cover his or her own ass in the case of a breach.