Security's Everyman

Security's Everyman

Tuesday, February 20, 2007

Basic Security

I try to talk to lots of people who are in IT and especially in Security. I like to get a feel for what is going on in various organizations with respect to security. I'm curious about who has a grasp on what security really is and who has no clue. I've discovered that there are lots of companies who really have a very limited view of security and who only practice basic security. They do just enough to get by and make the auditors happy. As we all know security is not achieved by being compliant.

I'm often surprised at what companies allow to happen on their networks.

  • Leaving access points open or with minimal security
  • Allowing any consultant, auditor, or "friend" to connect to the network
  • Opening ports in the firewall because the "need" this application.
  • No Acceptable Use Policy for computer and network access
  • Allowing administrator access to local systems
  • No hard drive encryption
  • Etc, etc, etc,.....
It just doesn't seem to end. They they wonder how they got compromised. After all, their auditor said that they were fine. Auditors, for the most part, are not security professionals. I've met a few who really knew security, but most of them just carry around their checklist and take notes.

I've also discovered that many Security Professionals who work in these organizations are really frustrated. They work hard to keep things safe only to have Management subvert the process because it makes things easier. I've been there myself.

As I talk to people at all levels of IT management and in the field I realize that many people don't think about security being a key issue in IT. They assume that if they are behind a firewall and have AV installed then they will be OK. They don't realize that this is not 1998 any more. It often shocks me because I assume that everyone who is in IT thinks security. Even before I started focusing on security in my career I just naturally took security into consideration when doing my networking duties. I thought it was just how things were done. Then I remember the stories I read, the people I talk to and the things that I've seen and am reminded that many people don't realize that security needs to be a natural part of IT. Basic security is often ignored and when it isn't it is often just enough. Just enough is never enough.

That is why I think that those of us in Security have to keep fighting hard to keep us safe, all the while preaching and teaching real security to all that will listen to or read what we have to say. We have to argue our point with management and give them hard facts as to why what we have to say is worth listening to.

1 comment:

LonerVamp said...

I've also discovered that many Security Professionals who work in these organizations are really frustrated. They work hard to keep things safe only to have Management subvert the process because it makes things easier. I've been there myself.

Amen to that. Often you will see companies make plans to go one way, full well knowing the risks, and then when something bad happens like a client experiences bad service or unmet expectations, their eyes go wide and they play dumb saying, "how could this happen?"

Too many companies, to save some bucks, will just feign ignorance and accept the risks. Sometimes this is a good decision as perhaps their risk is so low that the chances of an occurrance are slim. Sometimes these are bad gambles...

I think it is natural that people want to first get things done, and then secure later...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.