Forgot your password?
typodupeerror

The Failure of Information Security 172

Posted by ScuttleMonkey
from the everyone-is-happy-until-something-breaks dept.
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
This discussion has been archived. No new comments can be posted.

The Failure of Information Security

Comments Filter:
  • by giorgiofr (887762) on Wednesday May 10, 2006 @05:48AM (#15299635)
    We as security professional are drastically failing ourselves, our community and the people we are meant to protect.

    This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
    Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
    The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
  • Interesting but... (Score:5, Interesting)

    by datafr0g (831498) * <datafrog.gmail@com> on Wednesday May 10, 2006 @05:56AM (#15299650) Homepage
    I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.

    Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.
  • by jtvisona (971081) on Wednesday May 10, 2006 @05:58AM (#15299655)
    It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they are all important types of busses, no?), then data people have to be better trained and regulated like power and control people. Ah, but it's a nascent profession...
  • by Anonymous Coward on Wednesday May 10, 2006 @06:05AM (#15299666)

    The Coming Singularity [blogcharm.com] compells us to get our security act together before all is lost and our technological world collapses.

    Security in artificial intelligence [iuniverse.com] is approaching a winner-takes-all moment of truth on which hangs the fate of the world.

    The Joint Stewardship of Earth [wikocracy.com] under human and robot control requires mutually assured defusing (MAD) of security issues for the legacy human society and the supervenient robot society.

  • Corporate mentality (Score:5, Interesting)

    by Aceticon (140883) on Wednesday May 10, 2006 @06:20AM (#15299689)
    The management level corporate posture towards IT security goes like this:
    - We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.

    In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.

    And now IT Security professionals are to blame?

    What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????

  • A ridiculous article (Score:4, Interesting)

    by rann (533322) <rubin@xs4all.nl> on Wednesday May 10, 2006 @06:35AM (#15299726) Homepage
    I usually don't post but this article is really too much.

    In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!

    News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?

    Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.

    I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.
  • Re:The Human Factor (Score:3, Interesting)

    by Caledai (522776) on Wednesday May 10, 2006 @06:44AM (#15299750)
    Bold Text = Me
    Italic Text = Boss

    In relation to giving access to a share for large files. [> 200GB]

    Ok, give me the names you want to have write access to this share..
    "I can't be bothered to give u all the names, just give them all access" - [Hundreds of Users]
    You realise that defeats the purpose of having home folders & quota's & that they can delete anything on the drive, and that we have no backup policy or the facilities to back up that drive [> 200 GB]
    So...Just Do It
    Sound familiar anyone?
    This is just basic NTFS and share access rights - nothing complex.
    And I am just a technician - not a security consultant. If they ignore us when we say this - what makes you think they are going to listen to a consultant telling them something they have already dismissed?
  • by Phemur (448472) on Wednesday May 10, 2006 @07:05AM (#15299802)
    I'm honestly not trying to flame or be sarcastic; I truly don't understand the issue from a user's point of view. My computers have been infected once by spyware in the last 10 years. No viruses, no rootkits, no malware nothing. Since I'm not an information security expert, I don't have l33t skills to help me stay secure, so why have I not been affected?

    Seriously, I'm asking. :-)

    Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.

    They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.

    Other than that, there isn't much security software installed. I don't even have an anti-virus.

    I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.

    The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.

    (As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).

    So what's the problem? Is it bad habits, or is it really that bad out there?

    Phemur

  • by Anonymous Coward on Wednesday May 10, 2006 @07:19AM (#15299836)
    The problem these security experts have is that they have workmanship pride, and human decency. These things are drawbacks in the capitalist (especially the US) system. It is designed to maximise capital growth. It does not maximise human happiness or the growth of humanity, though a lot of people who benefit from the system to the detriment of others would like you to believe that.

    The perfect slave is one that has been convinced that the shackles are for his own good.

  • The real problem... (Score:2, Interesting)

    by bingbong (115802) on Wednesday May 10, 2006 @09:26AM (#15300377)
    It is all too easy to point the finger. The 'vulnerabilities' listed are in fact many tiered and go back to the founding of the 'internet.'

    It is affected by all the layers of the 'net

    Transport:

    Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.

    OS Architecture:

    Consider that the number one (in terms of number of users) OS company didn't consider security as part of their OS architecture until their 2000 release. Even then it was limited by the 'need' for backwards compabitility with previous systems.

    Application Code:

    Ever notice that the SDLC doesn't have any security concepts as part of it? While there are now methodologies (such as CLASP) that help introduce security into the dev process, we still have a culture that is blissfully uninterested in security. A lot of developers have no idea what race conditions, overflows are - much less how to prevent their occurance.

    Management Layer:

    Product managers only care about getting something 'shippable' out the door by their magical ship date. Bugs and such can be fixed 'later.' Most suits only started caring about security (other than as a marketing tool) when their firms started getting slammed in the mainstream media and it started to affect the value of their stock options.

    End users: While we absolutely have to have pity for grandma who just bought her new computer, somehow people shut their brains down when they get infront of the monitor. If someone walked up to you in the street and said 'hey - give me your bank account information so i can wire you some money from my country and you get to keep some' they would call the police. But when it's in an email...

    Media: The media has had some good benefits in terms of making security an issue, but they are also good at causing the management teams to focus their energies on the wrong problems. Remember a few years back when the DDoD attacks started happening? the news reported that the big content providers were getting hammered. The real story at the time was the botnet that launched the attack. Botnets are in the media now - but a couple years too late.

    Basically there is no one person or group to blame. The entire system is fundamentally flawed on all the levels, and the results are cummulative.
  • by scoove (71173) on Wednesday May 10, 2006 @10:22AM (#15300765)
    The story makes some good points, but blames the wrong people.

    Exactly. Senior management (aka the "C level positions" like CFO, COO, CEO) just refuse to integrate information assurance, integrity and control into their practices. It is no different than rejecting GAAP and instead using creative accounting ala Worldcom and Enron. Yea, this stuff is hard and complex. But so is the world of finance, and yet we are required to figure it out there.

    I work for a firm that consults to smaller financial institutions for their IT audits, security and risk management areas. These smaller organizations lack a lot in resources but the senior managers are usually committed to improvement (it helps that they're regulated to do so).

    But regulation doesn't always help. I just turned down a job offer for the senior information security position for a large insurance company in our area after going through several interviews. I discovered that they wanted someone to sit in an office, use a proprietary security suite to generate reports to make sure they were in the file when the regulators come, and otherwise leave things alone. Zero access to C people. They were shocked (and the headhunter pissed since he thought he was getting a commission out of this one) but I refuse to be the certified auditor who signs off on a broken system with unaccountable senior managers.

    I asked the Senior VP of Operations what he thought information security was, and as expected, I got a technical answer - "managing firewalls, IDS, making sure people are using good passwords, staying on top of the directory services, etc." Not a single comment about the administrative area, let alone risk issues. If we security professionals are remiss, it is in accepting a paycheck from firms that refuse to operate ethically in this area.
  • by lon3st4r (973469) on Wednesday May 10, 2006 @02:21PM (#15302743)
    Most security breaches happen because of social networking "hacks".

    I got a call from "citibank" the other day on my office phone. They said they have a pretty good offer to give me and went ahead and gave me a fantastic offer. Then they asked me my full name (ahem!). And then they asked some more details (innocuous ones) until finally they asked my credit card number. That's exactly when I hung up. I know people who would happily give out this information without even realising what's happening!

    There are also instances of people being asked to fill up some forms with ask too many personal details, and I have seriously wondered - "what if this falls in the wrong hands".. they could use that info to break open *most* passwords to my mail and other internet accounts.

    Infact my Manhattan card account personnel only asks for my name, address and telephone number for verification! Jesus!

    So my question is, that if somebody does a security breach via social networking; how is it that "information security" has failed?

For large values of one, one equals two, for small values of two.

Working...