Security Basics mailing list archives
Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security."
From: generaldisarray04 () gmail com
Date: 19 May 2006 19:09:05 -0000
Security is a process and not any kind of a tool but Im certain we all understand this. Regulations, testing, tools et al only serve to support said process. But even the process falls short of effective security simply because youre still dealing with the weakest link in the entire chain you! Yes You! The human element, the weakest link, the person who will ultimately make a mistake that either singularly or in aggregate could bring risk to the security process your practice. The human element is often THE root cause of weakness within any organization. You can't fix stupid. How many of you have ever left the door to your house or car unlocked? The control was there but YOU made the mistake. Other examples: - Firewall logs are only as valuable as the person who is reviewing them. But does that person really understand what theyre looking at? - Intrusion detection is only as effective as the individual crafting the rules and how well he/she understands the environment they hope to protect. But has he/she turned off certain alarms because they kept generating presumed false positives? - The internal network is only secure from intrusion if you have a total understanding of all possible points of entry. What about physical security over the data closet in that remote plant you never go out to visit? - The policies you preach only have teeth if you enforce them. How many IT folks bypass Internet filters or proxy servers because it interferes with sites they need to surf? For work of course! - Audit reports seldom produce measurable results because often the auditors (who have only been onsite for 2 weeks) have no clue about what theyre auditing much less the tools theyve ran or the work plans theyre following. Not always the case but more the rule than the exception. In essence, were left with training, awareness, and communication efforts that seldom get attention. Thats too much like training and who has time for it much less the budget? Oh but SOX, HIPAA, PCI etc are devouring budget and attention these days. And while I agree with needing 'key controls' for effective security, common sense has left the stage. The very regulations that were created due to poor auditing practices are now being leveraged to increase billable hours. I digress. If the culture of any organization believes security to be a non-issue then it certainly will remain that way. Tone at the top is paramount. To abuse an old adage; its the people stupid! Spend all you want but if your people are not properly trained, on a continuous basis, know their roles/responsibilities, and understand current/emerging threats to the organization then youve gained little. Tools, policies, procedures and audits will not save you. The culmination of process plus people is what produces effective but not total security. Changing any culture to reflect this is difficult at best. Steve Knight CISA, CISSP
Current thread:
- Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security." generaldisarray04 (May 20)
- <Possible follow-ups>
- Re: Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security." ru_trustified (May 23)