RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

["Conlan Adams" <conlan () midwesteyebanks org>]

You know, it's really easy to blame the issues of computer security on
the information security professionals.  In reality though, it's much
more often an issue of the users of the technology themselves.  Then you
get to the much larger question, of who's job is it to train the users?


Computers aren't simple appliances, they aren't a toaster where you push
the button and it makes toast.  Even when they can be that simple, you
always have someone sticking their fingers inside, or prying with a
knife and getting shocked or burned.  

To drive a car, in my state at least, you need to log hundreds of hours
behind the wheel practicing with a licensed individual, go to a
certified training course, and pass tests that say you're safe to use
it.  Should we do this for computers?

More over, just as Drivers Education doesn't include things like how to
change or check your brakes, it does encourage regular professional
maintenance.  Should we tell users to bring computers in for their three
month checkups for patches, and general maintenance?  Would they be
willing to do it, and pay for it?

I do notice that they point the finger at IT professionals all over the
place, and in some cases it warranted, but they fail to give any
solutions.  It's a case of here's the problem and why it's your fault.

By no means am I saying that we as security professionals don't have our
share of blame in this issue, but I don't feel its "our" issue alone.



-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () brown edu] 
Sent: Wednesday, May 10, 2006 1:01 PM
To: email () securityabsurdity com; security-basics () securityfocus com
Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security."

 
I think there is a *lot* more to this, but don't have the time to fully
respond. Good things to think about - yes! But InfoSec has never had the
authority to do what's best. Ideas are floated and quickly rejected, and
the "balance" we all try to provide is as much as many of us can "push"
out against a very resistant culture.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Office: 401-863-7266



-----Original Message-----
From: email () securityabsurdity com [mailto:email () securityabsurdity com] 
Sent: Wednesday, May 10, 2006 12:54 AM
To: security-basics () securityfocus com
Subject: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."


Security Absurdity: The Complete, Unquestionable, And Total Failure of
Information Security.


A long-overdue wake up call for the information security community.


Article: http://www.securityabsurdity.com/failure.php