Tips for an Information Security Analyst/Pentester career - Ep. 22: A naked truth
Today I got this question on Quora, which allowed me to me think of all the misconceptions and misunderstandings surrounding information security, making a security professional's job increasingly hard and challenging.
The properties of a secure information are wrapped up with the CIA acronym, which stands for Confidentiality, Integrity and Availability of information.
This concept is known as CIA triad (or triangle) and it implies that there must be a trade-off between security and availability (i.e. between security and convenience to the end user, so that the end user can readily access the needed information).
This concept is known as CIA triad (or triangle) and it implies that there must be a trade-off between security and availability (i.e. between security and convenience to the end user, so that the end user can readily access the needed information).
An excessively strict security is bad for users because it becomes a hindrance. You guys can't (rightly) remember a 23 random character password with uppercase, lowercase and special characters and you want anything to be as easy as ABC to you.
But, there's a flip side to this convenience. If you use weak passwords (e.g. something like 123456 or the word password as a password), you remember them for sure, but a password cracking software like John the Ripper, or Cain & Abel cracks them in a couple of seconds.
Then you have bad guys hacking into your personal and financial information.
Security is a very complicated matter and it has to be because there are too many bad guys around trying to wreak havoc.
It's like two-factor authentication.
Yes it's a hassle having to enter a code you get on your phone every single time, but that makes it much harder for an attacker to brute-force your password.
Yes it's a hassle having to enter a code you get on your phone every single time, but that makes it much harder for an attacker to brute-force your password.
You guys should blame this situation on the bad guys, not on who tries to protect you and your information.
We security professionals need to be on watch and to harden security procedures, because they make it hard for bad guys to get in.
When you hear of major security breaches, such as those related to Equifax and SEC, most people blame them on their security staff. Too easy to cut them down saying they were sloppy, idiots and so on.
The naked truth is: a secure corporate environment depends on top management choices, not on technical implementations only.
Information security can't be something confined to the IT department only, on the contrary it must be a commitment of the whole organization, starting from top management.
The tone at the top is paramount.
John Strand (Black Hills Cyber Security), one of the biggest hackers around, whom I deeply respect, has recently defended Equifax security professionals. They're highly skilled people, but the top management didn't listen to them, or they lacked resources.
Cyber security is a matter of budget.
If your corporate network is a Gruyère and I, as a security admin/CIO/CISO or other leading security role, tell the CEO but he/she doesn't think this is a priority or doesn't give me the budget I need, your organization will be breached.
Apparently most CFOs and some CEOs think investments in information security don't generate any ROI (return on investments).
True, at first sight there seems to be no direct correlation between such investments and the risk they'd like to prevent or mitigate.
Most organizations don't think they might be a target, only because they haven't been in the past.
So their reasoning is: how likely is it for such an unfavorable event to occur and why should I spend -say- $ 1000 for me to be protected from such an unlikely event, when I could spend that money on something more important to my business?
So, they decide to accept the risk and they get breached.
It's only a matter of time.
One of the roots of the problem is that everyone want to see only their specific points of view.
End users complain all this security is a pain in the ass, but then yell and sue companies if they don't protect their information.
Some IT and information security professionals think most users are dumb and lazy because they keep repeating the same mistakes over and over again, which is not always true either.
We need to come together and have a better understanding of what's going on.
We need for everyone to look at the whole picture, not only at the specific part they care for.
So, you see that a little bit of inconvenience can prevent your personal and financial ruin.
Better safe than sorry, right?
Comments
Post a Comment