How To Suck At Information Security 198
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
First things first (Score:5, Funny)
I'm sure if you ask them to, they will.
Re:First things first (Score:5, Funny)
I'm sure if you ask them to, they will.
I'm getting a mental image of a boardroom full of executives forced to read the policy out loud at gunpoint by a sysadmin that's gone postal and insists no one will get hurt if they just read the whole thing.
Reverse psychology (Score:5, Funny)
Getting management on board is critical (Score:5, Insightful)
I currently do the IT for a small business to pay the bills while I am in grad school. The hardest thing for me has been to get the owner on board with a sane security policy. When I walked in the door, the business used the same username and password for all 22 of the desktops, the one email account (that everybody shared!), the web server, the online bank account, everything. I was able to get all the employees on board with my security plans mostly because I explained what I wanted to do and why, and what it would do for the company... and they were happy to be getting separate email accounts.
Then there is the boss. I explained my reasons for wanting a better security policy when I came on board. We sat down together and discussed different options, and he always gave me his approval. I thought everything was gravy, but I seriously overestimated his give-a-shit factor.
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
Of course, before long the other employees began picking up on his nonchalance, and they stopped bothering with security, too. Basically, due to his behavior, the architecture that should have given them a reasonable amount of professional privacy and accountability/deniability totally failed. I think this is really key: users are in general not stupid. Generally they are smart enough to understand the "why" behind security and follow through on it. You have to have systems in place to catch the bad apples, but that is about it. However, one stupid manager can ruin everything.
I wouldn't care either, except that I have to clean up the messes this situation makes. This job is ultimately important for my resume (first post military employment), and I don't want to make the news for record data loss.
God, I can't wait till I graduate.
Re:Getting management on board is critical (Score:4, Interesting)
Too true. I've seen similar to what you say. However, in my education, it is not been book driven and learned in a scholastic setting. In fact, I have no degree to speak of.
First thing is, as you said, a sane security policy. 1 email acct, same login/passwd, security-unconscious snooping owner all causes these horrendous problems. However, I'd also highlight one very nasty catchup: licensure. I'm guessing that he (the owner) bought the machines piecemeal as he needed them. And he probably bought them from different outfits, no less.
One rogue user could turn them in to the Boy Sco^H^H^H^H^H^H^H BSA. Go look at that guitar string maker up north of us, here in Indiana. He went the Linux route with smart terminals from the old machines incapable of running Windows NewVersion. Still, he avoided, after being sued, from ever again allowing that kind of liability in their building again.
As per the snooping email: explain to him that hidden snooping will let him observe without alerting the user of being watched. On your side, create an account, and duplicate every users email settings into that account. Make it only receivable, and delete after 10 days (unless you have a beefy mailserver, which I doubt). I'd say it'd be stupid not to have a nice RAID1+0 server with 1-3 TB storage with Linux, admined via Webmin, but those things cost. I'd wait on that kind of proposal unless you can show immediate gain for him and his employees.
And on the desktop snooping end, install VNC (if you use windows) as a service and "ignore remote mouse/keyboard" so he can watch as he pleases with only very minimal lag seen on the user end. The linux side, if you can convince him to switch, is just as easy. It uses x11vnc and is a one-line command. If you're running KDE, you can make a script that shows a pretty dialog box, asks for computer (ip/name) and logs in via ssh. The linux one is by fair more secure, but requires switching.
And on the snooping, I'd also recommend DansGuardian so he can ban "bad sites", allow them for himself, and have a log of bad sites for each user. This could easily be used as a tool to remove bad employees, in that they violate a "No porn/gambling/auction" sites, it can selectively be enforced. Yes, I do consider a tool like that to be unethical, but he makes the hiring/firing decisions: not you. The more power you can land in his control, the better for you as you support it.
And the Stupid Admin issue: once you put that much control in his fingertips, he will not let it go. Explain to him that if it would be disasterous if his users got a hold on this power.. In essence, scare the bejezzus out of him. Trust me, it works.
Never underestimate laziness. (Score:3, Interesting)
Also, licensing is no longer an issue, although it once was. We are a 100% linux shop except for the accountant and the graphic artist, who have some software requirements that linux does not meet (btw, if anybody knows of a drop in linux replacement for winbooks that would be really helpful; I'm willing to pay).
Anyway, for the boss it really is not about snooping, its about lazi
Re: (Score:3, Insightful)
If you have a cheap router on the dd-wrt supported list, you could VLAN the ethernet segment used by your boss, to minimize risk to that segment. It might also provide useful for an 'I told you so' moment later, if he was segmented away somehow.
Also, what about setting this guy up with a thumb drive scanner, as a more secure method of password entry than now? Certain HP notebooks have this built on the right side.
If you can't run Winbooks under WINE in something like Ubuntu, then you can try running Windows
Re: (Score:2)
For obvious reasons, he wants to have administrator access to all of our systems (we are small enough that that is reasonable). At one point our info@ account started spewing spam and got our IP blacklisted for a couple of days. The reason? the boss had changed the stmp password to 4. He regularly demands that his employees give him their email passwords and proceeds to send email in their names. In general he is just a walking nightmare.
He doesn't need their email passwords to send email as them... all he needs is an open SMTP relay and a basic knowledge of his email settings. Of course I think he probably doesn't have that either.
Small business is all the same. I've colleagues who have been in similar scenarios at small companies.
I came from a company that was exactly the same. There was no IT security. The boss invited all his mates round on the weekends to thrash the high speed Internet connection and play games. They brought virus
Re: (Score:2, Insightful)
You are in a position where failure is guaranteed.
This failure will be blamed on you by exactly the man who's ignoring it.
He already thinks he's better at the jobs of everyone he's hired than they are; and has the right to subvert their autonomy and act as them at will.
Anything that happens positively in this environment will be credited to himself, and anything bad that happens will be blamed on whomever was assigned it.
Get Out Now. I wish I were joking. Leave while you are on good terms and can just sa
Re: (Score:3, Funny)
Pictures and bullet points. That's your way in. We all know management can't read.
Powerpoint (Score:5, Funny)
Pictures and bullet points. That's your way in. We all know management can't read.
Convert it to a Powerpoint presentation. Be sure to use words like 'Synergism' and 'Paradigm'.
Re: (Score:2)
and if that doesn't work
naked pictures and pointed bullets
Re:First things first (Score:5, Funny)
Here's a sample dialog of how this will probably go down. A few words may be off, but in general, this is how it usually runs:
IT-Security guy: Here, please read these guidelines.
Manager: Why? What's that?
ITS: Security guidelines and rules to increase our security performance.
M: Hand it to my secretary.
ITS: It's critical that everyone reads them, knows about them and adheres...
M: I said, hand it to my secretary!
ITS: But you, too, have to...
M: I have to go to a meeting now.
Goes off to play golf with a business buddy and leaves his laptop in his convertible where it's stolen...
Re:First things first (Score:5, Insightful)
So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me. Authority does not come from below, and it's that simple. Get authority (promotion, getting an authoritative position in the first place, etc.) or start a business. But don't expect, *ever*, to have anyone follow your orders if you aren't in a position to decrease or eliminate their paycheck. And don't act like this is hard to understand, because it isn't.
Re:First things first (Score:5, Insightful)
Re: (Score:3, Informative)
Indeed! A team of IT admins should just lay down a system that doesn't allow it to be used otherwise. Just encrypt all information on any device and computer and give the boss the password on a piece of paper. Make sure all newly bought IT devices passes through the IT department before it gets into anyones hands in order to 'prepare all technology for safe and secure use'. Take care of the rest of all the problems the same way. Now get some superior/boss to allow you to set up an IT helpdesk 'in order to i
Re: (Score:3, Insightful)
...Just encrypt all information on any device and computer and give the boss the password on a piece of paper...
And he'll promptly stuff that piece of paper in his laptop bag only to be stolen at the next airport.
People are insecure.
Re: (Score:2)
Before or after he reads the comments that weren't correctly de-escaped?
For a security authority, you'd think SANS would know they escape their quotes and handle this when it outputs the comment to readers.
Re:First things first (Score:4, Insightful)
Re-title your executive security memo to something along the lines of "Avoiding personal liability concerning security breaches through executive negligence." If an executive isn't interested in security measures, he or she (like a corporation as a whole) will be more likely to pay attention to what measures are needed to cover his or her own ass in the case of a breach.
Re:First things first (Score:4, Interesting)
Re: (Score:2)
Whether or not telling a boss is a problem mainly depends on your ability to communicate (not only how but also when, it's NOT a good idea to tell your boss he's a tool when he's in a conference with customers) and also the boss' ability to deal with criticism.
You'd be surprised how many superiors take criticism of people they consider "beneath" them very poorly. Interestingly enough it never happened to me in the IT field (usually IT people know that they don't know everything and that there is always some
Re: (Score:2)
The problem here is that, just because you don't have the authority to tell your boss to do something, that doesn't mean that you won't be held responsible. It's not fair, and it's not sensible, but it's true.
Unfortunately, a lot of people don't understand the problems that come from separating authority and responsibility.
Re:First things first (Score:4, Insightful)
That's in a nutshell what is the problem here. You get hired as CISO only to find out that your spiffy CISO title means jack. I mean, besides getting the blame shifted on you, and you alone, when (not if, when) hell breaks lose.
If you want security, give your CISO the ability to enforce it. Else you're just looking for a scapegoat, and you could get that kind of person cheaper than for my salary. Besides, I won't sit and wait until it happens. Implement my rules and I take the blame if they fail. Then I fucked up and should be responsible for it. Or ignore my rules and I won't take responsibilty for anything. It's simple as that. But if you're only looking for the latter, take a trip to the unemployment office and get the first idiot that crosses your way. He's cheaper than me, and if you don't follow the security guidelines I lay out, he's pretty much as good as me. Just way cheaper.
Re: (Score:3, Interesting)
If you don't have authority over people, you can just lock the children down. That's annoying when people have work to do, but IT won't let anything happen.
My favorite point in the article was "Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles."
The IT in my shop refuses to let devs install programs (any programs) because the whole network is a production system. It can take weeks to get an SDK installed, because some IT admin has to get around to installing it. Cou
Re:First things first (Score:5, Funny)
So why is a person who lacks authority, expecting to assert authority? This is always the part that confuses me.
It's quite simple, really. If you let those security guys have authority, they start to abuse it. Next thing you know, they're making you change your password, taking away your Bonzai Buddy, and interfering with your opportunities to see hot naked celebrity pics.
Re: (Score:2)
What authority does the CIO have over someone not in IT?
You forgot (Score:3, Insightful)
You forgot the part where the Manager doesn't tell anyone about the theft for a few days while trying to cover it up.
A few days without IT being able to change passwords, watch for break-ins, etc.
Typo? (Score:3, Informative)
Security:
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
Can someone clarify?
Re:Typo? (Score:5, Informative)
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
This basically means having lots of things for admins to click on and make reports with. None of which actually improve security. IE7's "security" features and Microsoft's UAC are two good examples.
Re:Typo? (Score:5, Interesting)
"Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".
Re:Typo? (Score:5, Insightful)
Basically it means "not realizing that security is the minimum of the security of the system and the security of the staff".
Managers want to buy security. I've seen it time and again. They want a box from you, a piece of software, something they can plug in and be secure. It is usually incredibly hard to explain to them that security isn't just making the system secure but also to increase security awareness of their staff (and their own too!) because they have to have allowed access to the system, and if they are not security conscious, this legal access to the system can be used to gain illegal access.
Security is the minimum of system and personnell ability. The minimum. Not the average. A system that allowed perfect security is worthless if used by people who open up holes in that security. Likewise, the best security people cannot lock down a system that by its very design is prone to security holes.
And when you finally got that into their skulls, try to explain that security is not a product but a process because the requirements to stay secure once you reach a secure level change pretty quickly.
Re:Typo? (Score:5, Insightful)
Re:Typo? (Score:4, Funny)
a layer 7 filter
At my job, I'd like to have a layer 8 filter...
Re: (Score:2)
That was weird seeing my password come up like that. I mean............ what kind of idiot would set his password to drowssap!
Re: (Score:2)
In other words, "All the antivirus, firewalls, and intrusion detection systems in the world won't help, if you don't hold your users (and your admins) accountable for their actions."
Re: (Score:2)
Woh, oh, oh!
well.. (Score:3, Funny)
Re: (Score:3, Funny)
"First you make your lips like a doughnut then you use your cheek muscles to pull inward. It helps to have a lot of spit. and dont be afraid to take as much as you can. push your limits."
I'll get with HR about creating a position, but you're SO hired!
If you bring a resume, make sure it's absorbent.
Hey, that's OUR corporate policy !!1! (Score:5, Interesting)
I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.
This thing nails it.
It's just about everyone's policy. (Score:5, Insightful)
Because most of the things in that list fall under "CYA" for the CxO's.
They don't know what information security is. They aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Given that, they'd much rather have a list of checkboxes that their "consultant" can show them (and the auditors) that "proves" that they're doing what is required.
If something happens, they have the list of checkboxes and they'll fire the consultant and get a different one.
They have successfully covered their asses and their jobs are the only things that are secure.
Re: (Score:2)
One good fix for much of this is the appointment of a CISO. By having someone who "gets it" at the top level, with a budget and a staff and the authority to wield them. It's also critical to have someone who can tell the other CxOs "the policy applies to everyone starting with us, because it won't work if we don't set the example. A failure of security at our level could cost us $x million per day."
I work for a $LARGE_US_CORPORATION and our CEO has to swipe his badge to get into the buildings, same as
Re: (Score:2)
Because technology changes all the time.
Sure, for the easy stuff, checkboxes work really well. The problems come when there's new technology, or hackers find a nice new way to tip the balance in their favor. Staying on top of security is a full time job in itself when you work for a large company.
On top of that, putting all the right rules in place doesn't mean a thing if you can't get your employees (including the bosses/owners) to follow it.
Finding potential attack vectors is a lot like egg-sexing. It
Re: (Score:2)
[CxOs] aren't interested in learning about it. They want to have it provided the same way that electricity and water is provided.
Instead, it is a set of actions and processes we follow that can be described easily, simply. If someone knows the technologies and vocabulary, you can direct them over the phone.
With this in mind, why COULDN'T you have a set of checkboxes?
Because delivering security isn't like delivering electricity; true security requires that the CEO/CFO/CIO actually _do_ things, and remember not to do other things, things that even the CIO doesn't want to be bothered with.
Re:It's just about everyone's policy. (Score:4, Insightful)
Because that leads to the mentality of:
"All our boxes are checked, therefore we are completely secure."
And then they sit on their ass until they get hacked, because they never think about all the checkboxes that aren't on the list, or have been added since it was compiled.
If you want to compile a checklist every day, sure, but that's a horribly inefficient way to do it.
Someone trying to break into your network doesn't give a crap about what you've done to secure it. They only care about the single thing that you've missed.
Re: (Score:2)
I don't get it. Security isn't like "egg-sexing" (determining the gender of unhatched eggs by feel) where no one knows how you do it, you get a recruit to watch you, then do it randomly while you correct them, and finally be able to sex chickens as well as you do. All the while no one knows (including you) how you do what you do.
Instead, it is a set of actions and processes we follow that can be described easily, simply. If someone knows the technologies and vocabulary, you can direct them over the phone.
With this in mind, why COULDN'T you have a set of checkboxes?
You deliberately exclude checkboxes such as "There should not be a + in /etc/hosts.equiv". If it's a checklist, it has to be pretty specific, and there's room to flood it with insignificant trivia so that no one has time to read it all.
I am aware of one publicly traded financial company that has an audit group verify information security. This is done by writing a series of general guidelines, specific policies, and then basically by a checklist. The checklist might include significant detail instead of jus
Re: (Score:3, Funny)
I hate that bank!! I lost $A_LOTTA_FUCKIN_MONEY in one of their ATM machines...
Re:Hey, that's OUR corporate policy !!1! (Score:5, Interesting)
I work for $LARGE_US_DEFENSE_INSTALLATION where the policies are in place, nobody follows them, and the 2 guys that are in charge of risk and infosec are so overloaded with "password reset" requests that they can't even look at the performance of those policies. Furthermore, if they wanted to change something, they'd have to wait for a bi-weekly configuration control board meeting, where the four other division chiefs would quickly shut down any project they propose because it would be too much work. and their people already have too much on their plates, etc... you name it. Its happening there.
How to suck? (Score:2)
Let people make their password "password" (Score:3, Funny)
Re:Let people make their password "password" (Score:5, Interesting)
I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).
Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.
The people learn fast. (Score:5, Interesting)
They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.
_9%january
_9%february
_9%march
Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.
People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.
Re:The people learn fast. (Score:5, Insightful)
Hardly perfect, but it has its virtues.
Re:The people learn fast. (Score:5, Insightful)
1qaz!QAZ
2wsx@WSX
3edc#EDC
4rfv$RFV
They look great, but I guarantee that after one time watching me log everything is forever compromised. Good thing you didn't let me keep my easy (for me) to remember strong password.
Re:The people learn fast. (Score:4, Funny)
You're right -- these passwords are easy to crack, once you post them to slashdot.
Re:The people learn fast. (Score:5, Funny)
Re: (Score:2)
One quarterly password scheme I've heard of is to pick a city that has 4 major sports teams, and rotate through the year with the current team's name followed by the number of the year's season being played.
Re: (Score:2)
Wouldn't it make more sense for security to use two different rows of keys?
Like:
1qaz@WSX
Would probably be harder for someone shoulder surfing to figure out exactly what it is you did, too.
Re: (Score:2)
If they catch on to that one I'll just put it on a post-it on my machine.
Re: (Score:2)
Ah, you're trying to be an ass, because they're idiots. Got it.
But seriously...that's as insecure as you could get?
Maybe 1a1a1a1a would be a little more insecure.
Or 1a!A1a!A, if you need symbols in your passwords.
What are you minimum/maximum length restrictions?
You could always try "SÄ"cμÑ"Ñ-ïá 1$ ÃzÄ...ÐÅ£ÅY" if you really want to be obnoxious. Meets all requirements I've ever seen.
Upper case? Check.
Lower case? Check.
Numbers? Check.
Spe
Re: (Score:2)
Damn.
Stupid unicode that isn't.
That was supposed to say "Security is Pants", in all sorts of Greek, Arabic, and Cyrillic characters.
Re:Pseudo passwords (Score:2)
Great tip! I'll remember those!
Maybe I can return the favor.
I have promoted some takedown of the "fear mentality" that's crept up lately. When we had this discussion once at work, I said "We're just not that interesting for the world class guys. You guys *watched* me log in and you don't recall my password. It's fine."
While yours is visually too easy, a mnemonic pattern is a great source of passwords that are elemtarily robust to cold attacks. If someone in the glass office decides it's worth going hyper ab
Re: (Score:2)
At work I have something like 15-18 passwords to deal with, all changeable every 60 days. I use four each day just to log in (although two of them are the same) to my machine. That doesn't include logging into up to three different servers all with different passwords. Add various company portals, document repositories, and web interfaces to things like my personnel data, and it's just too many passwords to remember.
Just about all of these are 60 day intervals, and of course they aren't changing at the s
Re: (Score:3, Interesting)
Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.
So, how does an outside attacker crack a password that is no longer valid?
Also, if you have a previous password, it cannot be brute-forced. You need a human on the other end to guess what the current password is.
Re: (Score:2)
Well, the point was to make sure that people didn't have easily cracked passwords. Not perfect ones. It was a stop-gap measure. And bear in mind this was almost ten years ago.
Anyone remember that quote that goes something along the lines of "every time we build an idiot-proof system, nature designs a better idiot"?
You can't make people smarter. You can only hit them with a stick when they do something stupid. Thankfully, you can program a stick above their heads.
Re: (Score:2)
A couple of years ago, I needed to access a Department of the Army system for my work. The password requirements included, I shit you not, alternating numbers and letters. A password including any two numbers or two letters in a row would not validate. They expected (I guess) people to use passwords like 5h8d3l7v.
Guess what my password was? 1q2w3e4r5t
I'm sure at least 50% of the users chose that same password.
Re: (Score:3, Funny)
That reminds me of a funny email about password rules that was going around, it went like this:
CORPORATE DIRECTIVE NUMBER 88-570471
In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.
RULES FOR THE SELECTION OF PASSWORDS:
1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.
2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.
3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.
4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.
5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.
6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.
7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.
Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
Re:30 days (Score:2)
Yea, this one is true.
It's a little sneaky though. People go gung ho the first four months, because "we're being more secure".
Then some six months in it all starts to blur, and people wipe out.
"What was my password this month... was it xQlaTira? or that other one, YumNioxica? Aw hell, let's just reset it to my cat's name."
Re:Let people make their password "password" (Score:4, Interesting)
I'm surprised they didn't fire you after the first time. Most management types would see that as a threat and a violation of their security policy rather than a dedicated employee trying to make a point about security.
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Amen, brother, amen.
That's why I pick a phrase that I remember (like "goingtohellanyways"), do alphanumeric substitution on it, and then shift a character or two around. That way you just need to remember the phrase, the substitution is automatic, and then an association of the numbers with the phrase (like "hey, it has four words in it, let's just shift every fourth character around").
The fact that I can remember this for multiple accounts at once just indicates how obsessive I am. Or neurotic.
Re: (Score:3, Insightful)
It doesn't matter [...] if 90% of them then have to keep it written on a post-it
Actually, writing down your passwords and sticking the note in your wallet is not a bad idea. The only reason the post-it solution is bad is because it's on your monitor where it's open to abuse.
Re:Let people make their password "password" (Score:5, Interesting)
Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.
Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.
I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.
Re: (Score:2)
Hell, I did it just for fun.
But, then again, I didn't report to the people that would have potentially been pissed off (PHB's in IT), so the worst they could do was complain to my manager (who would have laughed them out of his office, he had the same ideas about security that I did).
Re: (Score:2)
But, come to think of it, I did almost get canned from one job after being told do clean up a /home volume and implementing a script that sent warnings if a user had files of set X or used N amount of disk space (N = total/users).
And for a similar reason...the bosses were the ones using up all the shared disk space with presentations and other bullshit that they could have easily put somewhere else. Yeah, the same bosses who told me to make sure the disk space was available for job data that needed to be
Re: (Score:2)
FYI, "no" is not a synonym for "one" (or any other number).
Re: (Score:2)
Thank you for the information. I guess my native language managed to influence my English again, I'll try to improve.
You sent passwords out in the clear (Score:2)
Good thing you showed them good security practices by sending out passwords in the clear. I don't follow how the notice made sure that they "*had*" to change the password; it would seem that ignoring the notice would work just as well.
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Hey! That's MY password you insensitive clod.
Well, now that you all know, I won't be held responsible for any trolling done on my account.
Where is slashdots list of mistakes? (Score:2, Funny)
- Expecting the site to dis Microsoft or to have to address this in a comment.
Re: (Score:2)
- Expecting the site to dis Microsoft or to have to address this in a comment.
We have a new Godwin. "In any slashdot discussion, the likelihood of dissing Microsoft approaches one."
How to get management to read it. (Score:2, Funny)
> Now if I could only find a way to get management to read it.
Re-route all web traffic to go to a "I've read and agree to the security policies" page that must be confirmed before they can browse any web sites. Put strong language in there letting them know their jobs are at risk if they break any of the security policies.
Re: (Score:2, Informative)
Wow: airing an idea about click-through EULAs on ./
Are you by any chance doing field trials for fireproof pants?
Yes (Score:2, Funny)
It's like I'm wearing nothing at all.
nothing at all.
nothing at all.
New topic on the theme (Score:4, Insightful)
I found an issue originally as it applies to free webhosts, but would probably apply to all the companies the other article says are gonna croak by 2010.
Step 1. "Register with your full real information! We need this info because we're gonna micropay you for _____ ." (Sorta true - they would need a mechanism to transfer actual payments. Assume they are legit and not a Nigerian scam.)
Step 2. "Bah, we know we never had a business plan, so we're gonna shut down."
Step 3. "Oh look, we just chucked our assets for $1000 on ebay without actually taking care to secure them. Now someone has your info."
Don't do background checks on new IT hires (Score:5, Funny)
Re: (Score:3, Funny)
We've had one former IT guy show up on the local most wanted list and noticed that a lot of unused equipment disappeared about the same time he was fired.
That's not nearly as funny as places that do background checks *months* after an employee has started. That leads to really interesting situations, where newly valuable employees have to face the possibility of being fired. The decision is completely random and is partially based on an HR person's reading of a background check report that they do not really understand. The employee's boss can also help them out if they want (but not every time, it's basically random depending on how it looked in the databas
The Big Take-Away (Score:2, Funny)
InfoSec in nearly all corporate environments breaks down into a couple of basic facts.
1. Do just enough, at the lowest possible price to maintain compliance and then everyone does their best to ignore it because it's all messy overhead costs.
2. Have someone in IT to blame. This is especially true if your title has something to do with infosec.
1 and 2 are a special kind of evil circular logic where the exec blame-shifts to the IT guy for their "buggy" porn-riddled trojaned corporate laptop. In the exec's c
Responsibility without power is an ulcer (Score:5, Insightful)
Power without responsibility, though, is a nightmare.
My personal pet peeve is managers who demand full access rights for their accounts while at the same time ignoring any security standards. It pretty much fits into the "security guidelines that don't apply to executives" problem.
It usually takes a very long time to explain why limited rights are actually good for you. What usually works out is to tell people that you cannot be blamed for anything you don't have privileges for. If something goes wrong, you can push responsibility away and claim you couldn't be responsible for it because you simply didn't have the permissions necessary to do it.
Believe it or not, this argument is way stronger than any increased security you could use as an argument.
At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.
Re: (Score:2)
At the same time I pity everyone who has to work in such an environment, where people are actually more concerned with covering their backs and blame shifting games rather than overall performance increase and setting security standards.
Amen. CYA is the new national anthem.
10 year infosec vet (Score:3, Funny)
Forgot one: Physical Security (Score:3, Insightful)
Don't run a Cargo Cult (Score:5, Insightful)
The biggest problem with security is often that the IT people don't understand what the computers are actually used for. And worse: Don't even want to know. They have converted their IT job into a cargo cult.
They then define security policy as the unilateral invention of the IT department, stressing how to be secure as opposed to how to work securely. Ignoring that the best way to be secure is to pull the plug, of course, as that would put them out of a job as well.
The result is usually an IT policy that conflicts with getting work done, and therefore is undermined by employees at every opportunity. Overall security result: Zero. But lots of mutual loathing and recrimination.
In some fields this is frighteningly common. I've been in debate sessions with a few score of colleagues, most of them working with competing firms, and found them in universal agreement that their IT department was hopeless and they would be better off doing everything themselves. Several of them had already set up their own systems, quick and dirty and probably with pretty poor security. But it worked for them, which is all what mattered to them --- at the time.
The lesson is: Always define your IT policies, security and others, together with the users. Especially the heavier consumers of IT resources and the users with the most skills, for they have the know-how to bust the security systems, and their example will be followed by their peers. Make sure policies are acceptable to everyone and the logic behind them is well understood.
Secondly, make sure to always be there to offer help when someone has a problem that needs to be solved. You want to be part of that solution. And never, never say that it just can't be done.
Don't ask for security you won't use (Score:2, Funny)
At my last job, SEVEN MONTHS AGO, I was asked what was needed to make SQL Query hacks impossible.
So I wrote out a long list, and it just sat there on their server for future use in upcoming projects.
Meanwhile, 100,000 sites went done to SQL Injection attacks later that month.
I feel like I was writing a guide for recent layoffs for the people who worked there who thought their job was threatened by a new programmer.
And I'm sure my report was ignored by people who actually worked there.
Heh (Score:2)
I took a 4-5 year "break" from security (switched to other areas, kept 'in touch' with my first love ;), because it really turned into all these things mentioned in the article.
I'm now looking to come back, I can't even imagine how it's going to look like in corporate environment, but something tells me I'll be disappointed :(
How to "get management to read it" (Score:5, Funny)
Wait 24-48 hours.
Then send out an emergency communication via phone, e-mail and red-letter memo requiring that ALL COPIES of the IT security analysis be RETURNED TO YOU or SHREDDED immediately.
You'll get your eyeballs.
Obviously not to be overused - I've done this three times in a 20+ year career.
Re: (Score:2)
Rather, wait for the "Security for Power Users" edition. You don't think an exec would willingly put a "for dummies" book on his desk or, worse, onto his shelf where someone might see it?
Re: (Score:2)
Actually, they do.
It's a new kind of "hip prop", saying "haha, look at me I'm old because I've been too bsuy cutting deals to go to school for this stuff..."
Re: (Score:2)
This is Slashdot. Expect a dupe in a strong or two.