Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

The Failure of Information Security 172

Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
This discussion has been archived. No new comments can be posted.

The Failure of Information Security

Comments Filter:
  • Where is our backup? (Score:1, Informative)

    by Anonymous Coward on Wednesday May 10, 2006 @07:17AM (#15299829)
    The failings of information security are (99.99% of the time) not the fault of the officers within that department. The lack of management buy-in to support policies is our number one problem. The technical teams (server managers, network support etc) see us as a hinderence which must be battled and argued with (sometimes just for the hell of it) every step of the way. We offer numerous suggestions on how we can integrate our teams and communicate better, and then we're promptly ignored. We offer to help develop secure baseline builds for OS installs and router/switch configs and then are basically told to "get stuffed" by the people in those teams. Management have little to no interest in the concerns we document and supply to them, and even when the issues are taken up the food chain they get sidelined as it is always deemed too much hassle. We invite external vendors in to help us develop a patching procedure and customise our backup processes to suit our environment, then the server admins do something completely different claiming that they don't want to be responsible for maintain the supporting documentation. HR refuse to update their AUP acceptance process because they don't want to manage the overhead, despite us advising them numerous times that if the users have not acknowledged the policies then prosecuting "unauthorised access" under the Computer Misuse Act is made so much more difficult.

  • by Anonymous Coward on Wednesday May 10, 2006 @07:17AM (#15299833)
    I work in USG IT - in the dissemination area (websites). We are spending more on IT security paperwork then anything else. Security documentation "C&A" packages are written in the field, rewritten, reviewed at a regional HQ, rewritten, reviewed at a national HQ, rewritten, reviewed by a 3rd party contractor, rewritten, reviewed again at HQ, rewritten, then passed up to the next level of government and the process starts all over again. We are a line office, so there is the bureau layer, then the cabinet agency level before the C&A package goes to GAO for grading.

    Bet for every $100 spent on the paperwork, less then $1 is spent actually securing systems. The IT security officer's budget dwarfs the dissemination budget and our information saves lives.

    We have more contractors reviewing C&A's then programers creating code to deliver our information. Out of this army of contractors, there is a single USG employee who is an outstanding system security engineer and is someone we can go to for a technical solution. And the line outside this guy's cube is long.

    And the joke of it all is after all this review, GAO still gives us a grade of D-.

  • Errare humanum est. (Score:3, Informative)

    by abb3w ( 696381 ) on Wednesday May 10, 2006 @11:25AM (#15301221) Journal
    A response to that sort of ignorant mentality is Yes, Sure, No problem, I just need you to send me a memo resolving me of an internal and external legal action and contractual reasonability I have when corporate information IS lost or maliciously changed.
    You may need to first draft a memo, spelling out the potential security consequences you anticipate, and insist that the boss provide a responding memo that specifically lists them, states that he has considered them, and that you are completely absolved of internal and external responsibility for any of the consequences. If you get one in response, be sure to forward a "file copy" to the company's legal department (which may result in a panicky highest-level countermanding order), and keep a personal copy off-site in the file with your copy of your employment agreements and NDA. (You do have such a file, right?) If your company has an internal audit department that handles security audits, forwarding a copy of it in their direction may also generate abrupt entertaining activity.

    More troublesome is if a problem happens later, and although you are not held responsible (having sensibly covered your ass beforehand as above), you're told to "cover it up". If your company has an omsbudsman, a rapid visit is in order; otherwise, lawyer up and find a new job... fast.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall