Re: [ISN] Security: Lotsa Talk, Little Walk

From: mea culpa (jerichoat_private)
Date: Tue Sep 22 1998 - 19:20:49 PDT

  • Next message: mea culpa: "[ISN] The Considerate Computer Crook (physical security)"

    Reply From: "Jay D. Dyson" <jdysonat_private>
    On Tue, 22 Sep 1998, mea culpa wrote:
    > Despite statements of strong support for information security by top
    > management, an astonishing number of companies fail to take the most
    > basic steps to protect themselves from hackers, disgruntled employees
    > and industrial spies.
    	This comes as little surprise.  Security is rarely handled in a
    proactive manner in the government, educational or commercial sectors.  In
    my experience, the only people who actually tend to be passionate about
    security are those who possess the ability to defeat it.  As many people
    who are "in charge" of computer and network security do not possess these
    skills (and I will refrain from any untoward comments involving the "Peter
    Principle"), security is often sacrificed in the name of convenience and
    	Further, most institutions don't want to pay for good security.
    As a consequence, they pay for their lack of vision later down the line
    when their systems and networks are breached.  The notion of a "digital
    Pearl Harbor" may be melodramatic and overused, but any fool can see that
    the lines are buzzing with Zeros 24 hours a day, 7 days a week, 52 weeks a
    > Of those surveyed, 84% said their senior management believes that
    > information security is "important" or "extremely important." But the
    > following results indicate that that concern isn't translating into
    > action: 
    >    * Forty-one percent said they don't have   
    >      formal security policies.                
    >    * Three-quarters said they have no
    >      incident response plans.                 
    >    * More than half said they lack disaster   
    >      recovery plans.                          
    >    * More than a third said they don't        
    >      monitor their networks for suspicious    
    >      activity.                                
    >    * Fewer than one in five use encryption    
    >      technology to safeguard sensitive        
    >      information.                             
    	What's truly sad about this unfortunate state of affairs is that
    there's already a blueprint available that can resolve almost 99% of these
    fundamental deficiencies: RFC 2196 - Site Security Handbook.  (Available
    	Alas, experience has taught me time and again that just because
    someone is running a server doesn't mean they *should* be.  All too often,
    the truly critical tasks of information technology and security have been
    relegated to the status of "someone else's job."
    	And just as all important tasks are overlooked until it's too
    late, so computer and network security is resigned to a similar fate.
    Everybody knows that somebody should do it, but nobody dares to take the
    initiative, lest they step on somebody else's toes.
    	'Round and 'round it goes.  Like a dog chasing its tail.
    - -Jay
       (                                                            ______
       ))   .-- "There's always time for a good cup of coffee" --.   >===<--.
     C|~~| (>-  Jay D. Dyson - jdysonat_private  -<) |   = |-'
      `--'  `--- Just what the truth is, I can't say anymore. ---'  `-----'
    Version: 2.6.2
    -----END PGP SIGNATURE-----
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:16 PDT