Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

2004 Global Information Security Survey Results 77

jotok writes "CIO.com has released the results of its 2004 Global Information Security Survey, based on the responses of over 8,000 people in 62 countries, highlighting the Six Secrets of Highly Secure Organizations. The report indicates that security awareness and implementation are gradually improving, but also that information security is still not recieving the attention it requires--especially from management and IT personnel."
This discussion has been archived. No new comments can be posted.

2004 Global Information Security Survey Results

Comments Filter:
  • by Anonymous Coward on Friday September 24, 2004 @10:05AM (#10340094)
    Sounds a lot like the two secrets of maintaining security.

    1) Never tell anybody everything you know.
  • That's pretty sad! (Score:5, Insightful)

    by goldspider ( 445116 ) on Friday September 24, 2004 @10:06AM (#10340103) Homepage
    "...but also that information security is still not recieving the attention it requires--especially from management and IT personnel."

    Who then is supposed to give a shit about information security if not management and IT? It's stuff like this that makes me very unsympathetic towards companies with virus problems.

    • by lukewarmfusion ( 726141 ) on Friday September 24, 2004 @10:14AM (#10340185) Homepage Journal
      Parent has a good point. Every company I've worked in has people who think, "It's not my problem." Management should be concerned about security protecting their business. IT personnel should be concerned about security because it keeps them in a job and makes life easier.

      We have so many cliches and maxims about this very concept, but they fall on deaf ears:

      Nobody seems to care about doing things the right way until they screw up because they were done poorly. Ounce of prevention and all that..
    • by Anonymous Coward

      Security is *everybody's* responsibility.

      Whether it be the admin configuring their IDS & firewall correctly, to the managers writing the policys & guidelines, to the users not writing down passwords and all the way through to the maintenance staff being on the lookout for stray access points, weak locks, or areas of poor CCTV coverage. Even the backup operators have a responsibility to ensure the safety of backups. Security is *not* just passwords and firewalls.

      Security: Confidentiality, Integri

  • by codefather ( 686109 ) on Friday September 24, 2004 @10:08AM (#10340126) Homepage
    Seventh Secret: Most flaws occur thru "Gates" - Keep away from.
    • Actually, 8:

      Getting advice on slashdot is a sure way to an easily hackable website. While it masquerades as a "geek tech news" forum, it's populated by 12 year olds morons who think they know everything, and who's answer to everything is "Install linux because it's magically secure!".

      It goes without saying, of course. What kind of a moron would take computing advice from a bunch of asshats who can't configure Windows properly?
      • What kind of a moron would take computing advice from a bunch of asshats who can't configure Windows properly?

        Oh, I don't know, requiring an impossible task as a qualification is not very reasonable, don't you think?

      • You are reading slashdot. Aren't you?
      • Getting advice on slashdot is a sure way to an easily hackable website.



        And you're implicitly advising to install windows/IIS? nice troll :)
        • No, not at all.

          I'm explicitly advising not to run around thinking you know the first thing about running a secure server because you read slashdot every day.

          So many morons running linux powered websites incorrectly out there. While linux may not be a target for worms that just arbitrarily hit anyone, if someone actually targets the server, they can usually get root on it. These are the type of attacks you need to fear in business. Sasser wastes time and bandwidth, a dedicated hacker who's out to get yo
          • And here I thought HL2's source code was stolen through an Outlook exploit (patched months ago) ?
      • The grantparent says:
        "Seventh Secret: Most flaws occur thru "Gates" - Keep away from."
        Nowhere do you see anything like "Install linux because it's magically secure!".
        This is your typical troll. When CERT warns people to avoid IE and the security record of MS products is considered, warning people away from MS software is appropriate. You like to attack the people (posters) who point out things like this rather than making an honest comment. I hope MS pays you well.
        Just for fun, you might like to
  • I think by now, that if people don't "get" security, they'll never "get" security. We all know about patching, firewalling, decent passwords, etc, etc, but some people just choose to ignore it.
  • Hmm. Not much faith all around.

    Percentages of employees that follow the security rules... "More than half" was about 75%. I'm surprised it's that high. People here go through the 9 interations of their passwords in the same day so they can keep the same one for the year. Some people just use password1 - password9... Ugh.
    • by jokach ( 462761 ) on Friday September 24, 2004 @10:32AM (#10340326) Homepage
      In our shop, our upper management are the worst offenders. We have a COO that demands his laptop be built to auto login to everything. He doesn't want to remember passwords. The few passwords he has to remember are like 1234 or ABCD.

      Since senior management doesn't care, what makes them think that employees lower than them should?

      This same COO had his email account hacked because of a poor password and blamed IT for not having enough controls in place.

      I'm sure you can imagine my response.
  • Arrgghh (Score:4, Interesting)

    by Mateito ( 746185 ) on Friday September 24, 2004 @10:13AM (#10340178) Homepage

    We need a new "random generator" type page to produce book titles of the form:

    "The n secrets of highly keyword1 keyword2"

    Where

    n is an integer

    keyword1 is empowering adjective:effective, secure, world dominating, goatsecxing

    keyword2 is the empowered noun: organisations, individuals, dictatorships, tubgirls.

    Maybe then we'll escape this sort of crud. I am studying an MBA, there is a lot of useful stuff in it, but I am already sick of all the goddamn management speak used to obfuscate otherwize valid observations. Its taken years to get "plain english" into academic writing and tech manuals. Lets now start hammering it into managers.

    • The uhmteen or so habits of highly random asshats?

      Does anyone know where asshats cams from? It's an incredibly funny descriptor but i don't know of its origin. Is it just a buttheadism?

    • This will do it, minus the weird random spaces that /. inserts for me.

      <script>
      n = parseInt(Math.random()*10);
      k1 = parseInt(Math.random()*4);
      k2 = parseInt(Math.random()*4);
      key1 = new Array();
      key1[0]="effective";
      key1[1]="secure";
      key1[2]="world dominating";
      key1[3]="goatsecxing";
      key2=new Array();
      key2[0]="organisations";
      key2[1]="indiv iduals";
      key2[2]="dictatorships";
      key2[3]="tubgi rls";
      document.write('The '+n+' secrets of highly '+key1[k1]+' '+key2[k2]+'.');
      </script>

  • by 192939495969798999 ( 58312 ) <info AT devinmoore DOT com> on Friday September 24, 2004 @10:14AM (#10340182) Homepage Journal
    It would be great if it was accidentally a list of the actual top 6 secrets of those companies, and not a list of how they kept things secret.

    Secret 1: the password is 1.. 2.. 3.. 4.. 5!
    Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"
    • by Spoing ( 152917 ) on Friday September 24, 2004 @10:50AM (#10340503) Homepage
      1. Secret 1: the password is 1.. 2.. 3.. 4.. 5!
        Company XYZ somewhere, reading list: "CRAP! That's the same combination we use for root!"

      That would be an improvement over reality: One facility run by a subcontractor has a database that processes 50K checks/day and generates checks in excess of $1 million/day.

      Last time I checked, the database had no password on the administrator account.

      Nobody was interested in changing this "because we are behind a firewall" and "there's no reason why anyone would look for us or could find us".

      Thus, my sig;

      • by Satan Dumpling ( 656239 ) on Friday September 24, 2004 @11:12AM (#10340712) Homepage
        And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....
          1. And a firewall cannot help you when an employee plugs in a laptop with a virus they caught at home.... happened at my company more than once....

          Same here, though the same admin who thought no password was a good idea also blaimed every laptop for every virus. Even had a long conversation with him on how likely my laptop (running Linux) could or could not pose a trojan/virus/... threat to his Windows client network. I still think he doesn't believe me that Linux can't spread Windows trojans (granted it

    • Secret 1: the password is 1.. 2.. 3.. 4.. 5!

      But we all know that the password IS: XYZZY! http://www.xyzzy.com/ [xyzzy.com]

  • has made me re-consider http re-directs and online surveys.
  • "loose-chips-sink-mips"

    That's a great one. Just wanted to give a pat on the back to the person who came up with it.

  • Clarification (Score:5, Insightful)

    by jotok ( 728554 ) on Friday September 24, 2004 @10:19AM (#10340236)
    The article, in the most polite way possible, slams IT types for disregarding security and not knowing how to properly interface with law enforcement personnel.

    From my perspective, there is a real dichotomy between IT and Security. While I have encountered quite a few IT types who take the time to learn about security issues, it seems as if they involve completely different mindsets. IT personnel are technical support--they worry about connectivity and uptime and handling the clownishness of the users. Security types are usually a lot more paranoid and consider the needs of the users a secondary concern to the integrity of the assets.

    The current model seems to be to hire a few security experts (and I use the term loosely--for every Eric Cole there probably 1000 clowns who read his book and considers himself just as good) to give recommendations and train the IT staff. I think the improvement in incident response and cleanup times is the result, but do you see that in terms of prevention we're not any better off?

    Some kind of integrated approach is necessary, but I think it's a ways off.
    • Re:Clarification (Score:2, Interesting)

      by Tyndmyr ( 811713 ) *
      Id agree with this assessment, but IMO the main problem is managers failure to understand the nature of security. Most dont even realize the need to update software, let alone "complex" things like firewalls. Ive been told to install an antivirus to keep hackers out. (Yes, I know, antiviruses are good, but this was the sole protection method)

      Until our managers become more technically adept, how can they understand if the security ppl are doing an adequate job?

    • What I've seen is that management gets what it wants. As a relatively new sysadmin I've been apalled at some of the outdated security models where I work. For example, passwords on major unix boxes not even shadowed. But as long as management wants to push server consolidation, outsourcing and project after project, even those members of the overworked IT staff who might be concerned have no time to try to push or implement security projects.

      I noted that the article mentions negative drivers like the fe
      • No, it makes perfect sense. Management rarely sees the connection between security and job completiong (and thus, satisfying the demands of the shareholders, which is technically the reason why the corporation exists). You have to put it in terms they understand. This is why I'm in favor of separate security departments, for one, and also, why an integrated approach is the only one that will work (e.g. start everything with security in mind).
  • Security rule #1 (Score:5, Insightful)

    by ceeam ( 39911 ) on Friday September 24, 2004 @10:24AM (#10340267)
    If you don't know how to crack you don't know how to protect. Since teaching, learning, and sharing knowledge of how to crack is all but universally illegal now only criminals can be security experts. Lawmakers may pat themselves on the back - good job!
    • If you get involved in the right educational program you get all that and more, and Uncle Sam pays the bill.

      In May I graduated from "Cyber-Corp", a Computer Science - Information Assurance master's degree (or undergrad if that's your thing) program that is funded by NSF. I took many full, real college credit classes (3 or 4 semester hours) on Penetration Testing, Systems Certification and Accreditation, Digital Forensics Secure Network Design and Implementation, Secure E-Commerce, the list goes on. And
      • Let me add a quick addendum to LanMan's post.

        In support of the government's policies on Critical Infrastructure Protection, there is this outreach program between NSA and various educational institutions which is producing just really excellent security professionals. In light of corporate resistance to DHS's attempts to bring the private sector onboard, I think this and similar programs are the best shot we have at securing the civilian sector.

        More information can be found here [nsa.gov].
      • Far as I know the university of North carolina system also is a member of this program (at the very least the charlotte campus)

        Looks to be a sweet deal. TOo bad i'm engineering and not compsci =\
    • The article was very good to suggest separating information security from IT, and integrating with physical security.

      After all, IT is just a tool, a means to an end. If you have a super-secure server, but one could throw a brick through a window and walk away with the goodies, that server isn't really secure. If you have a fire in a datacenter [slashdot.org], and your entire archive and customer files are lost, then your backup procedures were flawed, even if state-of-the-art tools were used.

  • exagerated (Score:4, Insightful)

    by IAR80 ( 598046 ) on Friday September 24, 2004 @10:25AM (#10340273) Homepage
    This whole security business is getting a little bit out of hand. You should definitly exercise reasonable care (like having a firewall well configured, use passwords not identical to the account and so on) but I know organizations that really went paranoid and are implementing the most ridiculos polycies (and making the environment very hard to work in because of that) and spent M$ on security consultants when the info they had is worth next to nothing or it is even public. This started to look a little bit like the Y2K craze. Kepp them scared and that way you keep the money flowing in.
    • ...and spent M$ on security consultants...

      You must be new around here. "M$" is a macro that expands to "Microsoft" when we read it...

      • ...and spent M$ on security consultants...

        And the difference is ... ?

        Fundamentally it's the same thing. Spending lots of money on sham.
  • The Six Secrets (Score:5, Insightful)

    by nharmon ( 97591 ) on Friday September 24, 2004 @10:25AM (#10340277)
    The first of the six secrets in this article was to "Spend More" on security. Thats funny, because someone else told us that THe most Secure Companies Spend the Least [slashdot.org]. Which would suggest that the idea of throwing money at a problem isn't always the best solution.

    The second secret, seperating your data security from your IT people, is a good idea only when your data security people are as competent at the regular IT people. Which is very rarely the case, because we tend to want our best talent our fixing the VP's PCs. What usually ends up happening is the company has to bring in an outside contractor to do what the data security people are not capable of, and the data security people become "go betweens" with them.

    The other 4 "secrets" aren't really secrets but simply good practices in the fields of penetration testing, and documentation.

    • Which would suggest that the idea of throwing money at a problem isn't always the best solution.

      Throwing money at the problem tends to enlarge the scope of the problem, i.e. more and bigger problems. The ones who spend least probably secure the few things that need securing and do those few rather well and do not impose unwarranted restrictions on everybody else. Easy way to check. If they lock their doors whenever they leave, they need security. Open doors when they aren't there means they do not need a
  • If I'm reading these numbers right, there is (at least) one thing that is interesting.

    The "Best Practices" (hereafter BPG) group claimed 14% of their IT budget was spent on Infosecurity, while the "Average Group" (hereafter AG) spent 9%, while the difference in number of people on full time security in the BPG was approximately 430 and the AG was only around 160.

    Or in numbers, a BPG company spends $140,000 of its $1,000,000 IT budget (these are fake numbers) and hires 430 people while a AG company spends
    • The math looks good at first, but there is one simple thing I think makes the difference.

      I'm willing to bet that any member of the BGP is also a company that takes IT much more seriously, and therefore would have a much larger IT budget (in relation to the total company budget). Also, I would venture a guess that the BGP are also much larger companies, otherwise the difference in department sizes would be smaller than the current 2.5:1

      --Demonspawn
  • The attitude among security professionals toward critical infrastructure, regulation and working with the authorities after incidents can best be described as laissez-faire, maybe even lackadaisical.

    As a self-appointed representative of security professionals, I have to balk at this description. Many security professionals are under incredible pressure. If, after a harrowing incident, they take some time to frolic down by the old Mill pond, perhaps take a roll or two down Mr. Jenkin's hill, or even skip t

  • At our company we finally implemented a process where MS updates could be applied more quickly. Because MS is famous for messing up everyone's machine with their lovely windows updates, we had an almost 2 month testing cycle before updates were applied. Now we apply security patches immediately (i.e., within 1-2 days - workstations first, then servers). We'll deal with any MS screw-ups the next day.

    "2. Separate information security from IT" - idiots! It's IT that understands this stuff. The answer is

    • by jotok ( 728554 )

      "2. Separate information security from IT" - idiots! It's IT that understands this stuff.

      Out of the past thousand or so incidents I have handled or observed, maybe 900 of them involved some bungle by IT regarding: failure to patch systems (often while reporting that they had), failure to remove unnecessary services, failure to properly implement network and host security features (e.g. firewalls and IDSs installed imroperly, logging not turned on, etc.) failure to conduct account audits, failure to implem

  • No surprises (Score:5, Interesting)

    by TimTheFoolMan ( 656432 ) on Friday September 24, 2004 @10:40AM (#10340401) Homepage Journal
    My group deploys custom solutions to customers all over the US, and we're regularly amazed at the customers variances in security. At one extreme are gov't facilities you would expect to be tight, and they're loose. On the other are mundane organizations where things are very tight. Amazingly, some of the private sector companies are the tightest.

    The article made a recommendation for a Security Czar (my term) to be in charge of physical security as well as info security. In my experience, physical and data security mirror each other within a given facility. Those who are sensitive to the exposure of their data are typically those with the tightest security measures for employees.

    However, in an odd twist, very few companies consider the physical security of the data servers. In other words, they worry about firewalls, proxy servers, and up-to-date AV protection, but leave the servers in a location that's physically accessible to people WITHIN their organization that shouldn't have access to it.

    Very, very rarely does someone manage this right. One of the few exceptions was a VA hospital. Not the tightest security, but it was consistently applied in the physical access to the servers, the access to the building in general, and the measures taken for electronic protection and isolation of critical systems.

    Tim
  • I encrypt all of my garbage files, set permissions, restrict shares, etc, and put highly sensitive stuff in a folder that is public with the name:
    • "Hackers Please Look in here, and download everything - I contain no tracking software and I am NOT a Honeypot"

    So far, so good. In fact I'm looking at my financial statements right now and they say .$%^ WTF what the hell is a |33t 81ll|ion41r3, where the hell is my balance sheet.

Whoever dies with the most toys wins.

Working...