Reply From: "Jay D. Dyson" <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- On Tue, 22 Sep 1998, mea culpa wrote: > Despite statements of strong support for information security by top > management, an astonishing number of companies fail to take the most > basic steps to protect themselves from hackers, disgruntled employees > and industrial spies. This comes as little surprise. Security is rarely handled in a proactive manner in the government, educational or commercial sectors. In my experience, the only people who actually tend to be passionate about security are those who possess the ability to defeat it. As many people who are "in charge" of computer and network security do not possess these skills (and I will refrain from any untoward comments involving the "Peter Principle"), security is often sacrificed in the name of convenience and hubris. Further, most institutions don't want to pay for good security. As a consequence, they pay for their lack of vision later down the line when their systems and networks are breached. The notion of a "digital Pearl Harbor" may be melodramatic and overused, but any fool can see that the lines are buzzing with Zeros 24 hours a day, 7 days a week, 52 weeks a year. > Of those surveyed, 84% said their senior management believes that > information security is "important" or "extremely important." But the > following results indicate that that concern isn't translating into > action: > > * Forty-one percent said they don't have > formal security policies. > * Three-quarters said they have no > incident response plans. > * More than half said they lack disaster > recovery plans. > * More than a third said they don't > monitor their networks for suspicious > activity. > * Fewer than one in five use encryption > technology to safeguard sensitive > information. What's truly sad about this unfortunate state of affairs is that there's already a blueprint available that can resolve almost 99% of these fundamental deficiencies: RFC 2196 - Site Security Handbook. (Available via http://www2.hunter.com/docs/rfc/rfc2196.html.) Alas, experience has taught me time and again that just because someone is running a server doesn't mean they *should* be. All too often, the truly critical tasks of information technology and security have been relegated to the status of "someone else's job." And just as all important tasks are overlooked until it's too late, so computer and network security is resigned to a similar fate. Everybody knows that somebody should do it, but nobody dares to take the initiative, lest they step on somebody else's toes. 'Round and 'round it goes. Like a dog chasing its tail. - -Jay ( ______ )) .-- "There's always time for a good cup of coffee" --. >===<--. C|~~| (>- Jay D. Dyson - jdysonat_private -<) | = |-' `--' `--- Just what the truth is, I can't say anymore. ---' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNggDcLl5qZylQQm1AQHmAQP6AwlEOAQKSQ1DYe0YUT/pCZaRSE5X/SiV W342oBdjZGulzL68datbG3mufQS37+hhKqxtvw0aoJgQ6P0VcpXm05KtBOcCFRyj kWWjaHAO/g9jHPIc05dcBTj+tsrJuh+dqccgtK1o7n1KlsyqC8LOD31wjZZzxetd 4HHMfn+6IMo= =CdqU -----END PGP SIGNATURE----- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:16 PDT