Information Security in the Seventh Circle of Hell
No, end-users aren’t stupid.
Compliance is. InfoSec is. IT is.
The other day Daniel Miessler Twitter: @DanielMiessler published this awesome post on asset management: If You’re Not Doing Continuous Asset Management You’re Not Doing Security
This is spot on, and something that we really need to invest in to raise the bar for security.
However most of the time this is what is going on:
Compliance:
There is a CMDB ✔ (Ignoring that the contents is largely outdated, and not really covering our actual needs wrt. actual information about the assets)
Here’s the “Systems Acceptance” policy that everyone at $company must adhere to ✔ (Ignoring that it is not really implemented nor understood by anyone)
You must have a password of at least 8 characters with complexity requirements ✔ (Ignoring - or not understanding - that this is REALLY BAD security advice)
Security:
We have installed yet another firewall, thereby minimizing risk ✔ (Ignoring that it actually adds to complexity and not really knowing what we were trying to protect and why)
We have had a pentest ✔ (Ignoring that it was performed by a pentest puppy mill, and is basically just a glorified vulnerability scan)
IT:
We just put out this fire [insert regular incident here] ✔ (Ignoring the need to do root cause and understand the impacted service end-to-end).
The solution?
Follow Daniel’s advice, and start with Asset Management - It’s been on the top 20 Critical Security Controls for a very long time. so even Compliance should be able to understand this:
</RANT>
