10 Information Security Mistakes: a False Sense of Security – by Lenny Zeltser – reprinted with kind permission.
You should mosey on over the Lenny’s blog and take a look at the whole article. It is good reading and it shows the perception of non security personnel in the decision making process. How do we get past that? If we don’t get past that we are at risk. Here are the bullet points:
1. The organization captures event logs, but the auditing level lacks the details needed to identify security incidents or investigate intrusions.
2. The organization has an information security policy that no one actually follows.
3. The organization performs vulnerability scans, but does not have a consistent process for addressing the discovered security issues.
4. The organization conducts a penetration test without including employees’ workstations in the project’s scope.
5. The organization tightly controls traffic from the Internet without restricting and monitoring outbound network activities.
6. The organization relies solely on anti-virus software to address malware threats.
7. The organization encrypts password stored in the database, but uses a weak encryption algorithm.
8. The organization deploys a data security tool without customizing and tuning its configuration.
9. The organization hires an information security officer without empowering the person to critique IT decisions or to affect change.
10. The organization assumes its data is secure because it recently passed a compliance audit.
All too often the lack of knowledge in the security field is a factor in why it doesn’t get done properly, and that lack of knowledge is more often than not in the upper management layers (not totally their fault), and there is also the perception that any spend on these areas is frivolous. We do the minimum protection to get by. At least there is protection, but what is the net-net of not getting it done properly? How much revenue is lost for every hour that the company is not operating? Is it that serious? Yes, it is! Do they know that?
We all know the barriers we have to get through, and paying lip service to the security issues in any company is going to come back and bite your butt. Those that have audit standards to meet are going to be more secure, for the most part, but any one single hole can bring you to your knees. We know how the threat landscape is morphing, but the fact is the threat is still there, no matter which arena it is, or will be in.
One factor is the security guys having the wherewithal to get the execs attention, and duke it out intellectually with them. Put ourselves in their shoes and work out the best way to get the message across. Does that mean pandering to personalities? Probably, but if it works, who cares right? Okay, so we shouldn’t have to but I don’t think they know geek speak. Put it in business terms and stand by your assertions and you might be surprised at the results, but most of all be professional.
Information is power – that phrase is profound in so many ways, and it’s up to us to spread the word. We have to break out of the boundaries of our roles to meet the senior management team half way, and make sure they understand the risk – even if it takes five attempts, as long as it gets through in the end. Remember – professionalism!
Back to Lenny’s post, it’s informative and oh-so-true for a lot of organizations that I know of. After all, who signs off on the audit? It isn’t me … but I still hold myself accountable!
