Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security."
- From: generaldisarray04@xxxxxxxxx
- Date: 19 May 2006 19:09:05 -0000
Security is a ?process? and not any kind of a tool but I?m certain we all understand this.
Regulations, testing, tools et al only serve to support said process. But even the process falls short of ?effective security? simply because you?re still dealing with the weakest link in the entire chain ? you!
Yes You! The human element, the weakest link, the person who will ultimately make a mistake that either singularly or in aggregate could bring risk to the security ?process? your practice. The human element is often THE root cause of weakness within any organization. You can't fix stupid.
How many of you have ever left the door to your house or car unlocked? The control was there but YOU made the mistake.
Other examples:
- Firewall logs are only as valuable as the person who is reviewing them. But does that person really understand what they?re looking at?
- Intrusion detection is only as effective as the individual crafting the rules and how well he/she understands the environment they hope to protect. But has he/she turned off certain alarms because they kept generating presumed false positives?
- The internal network is only secure from intrusion if you have a total understanding of all possible points of entry. What about physical security over the data closet in that remote plant you never go out to visit?
- The policies you preach only have teeth if you enforce them. How many IT folks bypass Internet filters or proxy servers because it interferes with sites they need to surf? For work of course!
- Audit reports seldom produce measurable results because often the auditors (who have only been onsite for 2 weeks) have no clue about what they?re auditing much less the tools they?ve ran or the work plans they?re following. Not always the case but more the rule than the exception.
In essence, we?re left with training, awareness, and communication efforts that seldom get attention. That?s too much like ?training? and who has time for it much less the budget? Oh but SOX, HIPAA, PCI etc are devouring budget and attention these days. And while I agree with needing 'key controls' for effective security, common sense has left the stage. The very regulations that were created due to poor auditing practices are now being leveraged to increase billable hours. I digress.
If the culture of any organization believes security to be a ?non-issue? then it certainly will remain that way. Tone at the top is paramount.
To abuse an old adage; it?s the people stupid! Spend all you want but if your people are not properly trained, on a continuous basis, know their roles/responsibilities, and understand current/emerging threats to the organization then you?ve gained little. Tools, policies, procedures and audits will not save you. The culmination of process plus people is what produces ?effective? but not ?total? security. Changing any culture to reflect this is difficult at best.
Steve Knight CISA, CISSP
- Prev by Date: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
- Next by Date: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
- Previous by thread: Tons of Source port 80 to random Dest Port Traffic
- Next by thread: Re: Re: Re: Article: "Security Absurdity: The Complete, Unquestionable, And TotalFailure of Information Security."
- Index(es):
Relevant Pages
|
|
