Top 5 Information Security Annoyances

| 9 Comments
| More
I'm generally a tolerant and easy going sort of person. There's a fairly short list of things that get my goat. For instance, our local doctors surgery has a call queuing system with 6 different options. However, I know for a fact that there's only one person working in the reception and that regardless of which button you press (press 1 for a long wait etc etc) after about 12 rings you'll get through to her. How pointless is that? Our home phone number is fairly similar to a local pizza take-away place. At least a few times a week I'll take orders. Sometimes, I tell the caller that I've got no pizza left but they are welcome to have some of what I'm having...

The information security industry can be similarly infuriating at times. Here's a short paragraph on each of the five things that wind me up the most:

1. Security awareness programs


A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It's all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click "a). All policies are on the Intranet" in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes.  Security awareness programs sap energy and resources, and have little positive effect. Drop them.

2. Compliance = security

Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of "Qualified Security Assessors" driving their company Mondeos up and down the motorways of England en-route to the next company that's fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says "compliance" tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It's an ongoing program without an end-date.

3. Risk modelling


Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of.  You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand that if a retail website suffers a denial of service that it'll have some financial consequences, or  that if the internet connection is lost that there wont be  access to the..er..Internet. I've got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling - understand your systems and know the business so that you can make relevant risk-based decisions. 

4. Where are all the analysts


Here are two examples of what I mean. i) A vendor does a "penetration test" of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled "scan now") and sends you a report highlighting several "High Risk" issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!

5. It's not my fault

The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don't count. Only results. There's an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it's your fault. Admit it and learn from it.




9 Comments

  • Well that was a relatively depressing and negative read :(

    1) Disagree - if Health and Safety legislation mandates that a user be sat in a room and told best to handle a ladder once a year with the odds of likelihood being pretty low, then why shouldn't an organisation mandate that their users who, lets face it are, in the main, the ones creating the information, be sat in a room and at least engage in a discussion about how best to handle, label, protect the information they create and/or are responsible for? And trust me, this doesn't have to be delivered in a boring manner - I speak as someone who is in her 30th straight day of delivery a nationwide programme have "sheep dipped" over 600 users - and, in the main, they have been presently surprised about how entertaining, non patronising and enlightening it can all be!
    2) Agree wholeheartedly - and would add that PCI should be seen as something to be considered WITHIN an overarching security framework of ongoing activity rather than a separate silo'd requirement.
    3) This is a badly written whinge as actually you are saying "do risk modelling" but calling it "threat modelling" - i.e. a rose by any other name; so its still risk assessment and a professional InfoSec person would advocate exactly what you have stated so its not a new revelation, or particularly helpfully put.
    Got out of bed on the wrong side, did you?!

  • MT

    Thanks for the feedback Andrea. It would be a dull world if we all agreed on everything and took the same approach. From where I'm sitting right now, there's incredbile pressure on resources, nobody has any spare time and an hour away from the desk to learn about security simply wont wash when that time can be better utilised towards trying to make money for the business. So, I've had to adapt and focus on the things that can get done as transparently as possible. The good news is that my approach works at this job, here and now. The next job will, I'm sure, provide its own different and unique challenges. Easy for a consultant to view it all as being less than ideal - and I'll always listen to the criticism - but success speaks for itself!

  • Hi Stuart. I posted a blog response regarding a portion this post on 3/19 (guess, trackback is not working)(http://risktical.com/2009/03/19/stuart-king-%E2%80%93-information-security-annoyances-%E2%80%93-response-1/). And will be publishing a 2nd response regarding risk modeling in the coming days. - CH

  • Here's my top Information Security Annoyance:

    People who write about trite articles on complex subjects they have no qualifications for.

  • Hi Stuart,

    Regarding Awareness -- I agree that most of the time people get this wrong. Question for you though: what is "communication" if not to make people aware? Either you somehow draw a line that differentiates the two (which I would need clarification from you on), or they're the same thing and you just hate the way most people are doing it. If the latter, then it would be helpful if you were clearer so as not to unfairly trash the concept that people can't comply with things they aren't aware of.

    Regarding Security = compliance -- I couldn't agree more.

    Regarding Risk Modeling -- You're mistaken. I've done plenty of risk analyses where I ended up with a different answer than I thought I'd get. This forced me to challenge my assumptions (and often times "conventional wisdom" as well). You're right though, that it isn't always necessary to perform formal analyses, particularly as you get better at doing them, because the models help to "calibrate" your intuition -- i.e., you're less likely to be overlooking things or applying your own biases (which, by the way, is a very good reason to do modeling). Also, it isn't clear to me how you differentiate "Threat modeling" from risk modeling, especially since you somehow claim to make risk-based decisions from threat modeling. Perhaps you can fill us in. As for all methods being a "load of tosh" -- respectfully, until you've become competent at all methods, your statement is a load of tosh. If you get something wrong, admit it and learn from it. ;-)

  • Security awareness doesn't work. Nice idea from the IT team but completely irrelevant to most of the business.

  • Awareness doesn't work, or at least, it's a big loss of money and time compared to the results, agreed.

    However, there are two kinds of awareness practices that I think are good overall:
    1/ Having "real" explanations about information security issues with the top executives of the organization, not with every employee.
    2/ Making clear to everyone who is responsible in case of which problem.

  • Im baffled by the statements that "awareness doesnt work" - Im an information security consultant Im a CISSP and CISM and I have been in the industry for many years so I feel I have a strong enough footing to share my opinion...

    I dont feel that "awareness doesnt work" I do feel like in many cases its approached too systematically and more of an "out the box" solution than a creative exercise aimed at the CLIENTS requirements.

    If performed correctly I believe awareness training can be very effective. Get creative and engage with the clients correctly and a very simple exercise can show results.

    At the VERY least, if can follow that users are more aware of the COMPANIES policies, stance and COMMITMENT to security

    Think about it for a second...

  • 1) So you don't ever help people learn something new or repeat something they really don't like.

    Why not scrap all that recurrent training for pilots and flight attendants? I am sure they would rather be making money flying than reviewing emergency procedures on an airplane.

    In fact, just scrap any learning at all. Have a pile of books for anyone who wants to learn, but how many people want to be forced to learn, whether they are 5 or 95?

    Making this communication interesting and engaging is the important step. They really don't know all this and some will only learn with the "forced feeding." It may take a while and seem like a waste, but it is better than the alternative.

    I don't feel like exercising. Lets scrap that too while we are at it....

    3) Have you ever done any serious system development? Are you claiming you knew all the answers before you started? Did you know how important different features were? That is all risk modeling and threat modeling really is - thinking things through and weighing out what you will end up developing. Perhaps you really are a know-it-all, but most of us benefit from thinking systems through, even parts we may not have thought about.

    Brad

  • Archives