58 replies to this topic

[s3ntinel]

I voted policies, because I still think this is the only practical method of controlling the people.

Can I ask one question, have you ever copied someone's CD or broken a speed limit? Is this not a breach of policy (Or law in this instance)? Policy needs to be there, but will never prevent someone doing something that they think is acceptable and have the opportunity to do it. Show that person why their action is irresponsible and make it tangible to them and they are less likely to offend.

Whereas, if I had a decent policy setup, and inforce, this imho is the only way for educating some other less tech savvy people at work.

Policies should never be used to educate, only legislate. A policy sets a framework for correct behaviour, what is acceptable or not. Don't get me wrong you need both, but without proper education of the user community your policy is just an audit point.

[beardednose]

The advantage that S-OX and other pressure gives the truly impeccable pro is that it gives him/her an edge while convincing people to agree to changes. A truly impeccable pro in the average organisation has spent years ruing the fact that management doesn't allow him/her to make the changes needed - now its finally time to make all that happened.

However, the "disadvantage" is the pressure on the pro to perform. A small mistake could be a fatal one.

While this is true, I still find many "required" security changes falling to the wayside due to cost or "that (hack or misuse) will never happen." The way I protect myself is to document, in writing, the risks and the recommended remediation. Depending on the assets at risk, I might go up the ladder a few hops. That way, the CIO can't say, "If I would have known that, I would have mitigated it." Also, even if my recommendations get ignored (mgmt calls it "accepting the risk" *), I've done my job.

Basically, it's my job to review the situation, understand the business needs, and attempt to define the risk, the probability, and the estimated loss. Once I pass that on with my recommendations, I've done my job--it's management's job to manage: accept, mitigate, or transfer the risk.

Remember that next time you don't get any tractions: Just say "My job is to determine the risk and the remediation; management's job is to decide what to do." That way, I come out smelling like a rose. And, I've transferred the responsibility from my backside to management's backside.

* Accepting the risk -- I like to remind my mgmt that they can't accept what isn't documented and understood. If they don't take the time to truly understand the business impact of such a decision (what's the business case), they haven't accepted anything--they've ignored it.

May sound kind of wierd, but in a sense an IT license. My fathers work decided to put in wireless, thats great. He walked down to computer store, bought a netgear, plugged it in, and was very happy when he had harnesses technology to work w/o a problem. We both know what he's neglected to discover.

Too many people are using technology when it really shouldnt be, ie, online banking shouldnt become available for another year or two, imo. For the fact, the majority users are sending their details to other people without realising its even possible.

I disagree. Wireless equipment (I'll use one of your examples) comes with a manual that encourages users to take security precautions and then provides step-by-step procedures. Most folks just don't take the time to read the manual (there's the weak PEOPLE link again).

Now you could say that the average Josephine can't understand WEP encryption (or whatever the security suggestions are) or can't follow the documentation to implement it. But that does not absolve them of the responsibility. If you have a manual (even a poor one) that notes the security issues, you are not UN-INFORMED. You ARE informed, you just don't know how to make it work.

So most folks take the easy way out and say IT WILL NEVER HAPPEN TO ME!

The fact that technology is hard to understand DOES make fewer people use it when it comes to security. So lazy or computer-illiterate folks should never use wireless? NO! When your main sewer drain is plugged, do you stop using water and the toilet in your house? NO! You call an expert to fix the problem.

If you're too lazy to do it right or can't afford an expert (or don't know a friend who can do it), then I agree that you should not use the technology. But that's not the technology's fault---sure it could be simplier--but the person makes the decision on what to do (or ignore).

[Whoa, anyone notice my hot button? Sorry for the long drawl. If you're all smart, you'll just agree with me so we can all get on with our lives. Otherwise, I have a lot of debate left in me (and I won't give up, not by the hairs on my chinny-chin-chin).]

p.s.

online banking shouldnt become available for another year or two

What do you have against online banking? Are you saying the security isn't available? I think that it's just not properly implemented. I will be as bold to say that banking online with banks that do security right is more secure than banking in person (uh oh ). And the same is true with using your credit card online vs. in person.

GSecur, you've tested a lot of banks. Your opinion?

[myth]

What do you have against online banking? Are you saying the security isn't available? I think that it's just not properly implemented. I will be as bold to say that banking online with banks that do security right is more secure than banking in person (uh oh ohmy.gif ). And the same is true with using your credit card online vs. in person.

Not from the banking perspective, from the users perspective. I use online banking, all the time, love it, great convieneance, but im also not dumb enough to send off my details to someone who asks for them. Phishing is successful because people do online banking, whereas, if you could only get online banking if you passed some tests, or failed others...

My point is, we're giving everyone who has the money to use the service. Most are not competant enough to get the basics done with email, let alone handle other scams. Im saying that perhaps, if fall for a common trap, perhaps you should be advised NOT to go online and do banking ? But then again, if they can get in through phishing scams, the user probably has a hell of alot more security problems aswell...

Now you could say that the average Josephine can't understand WEP encryption (or whatever the security suggestions are) or can't follow the documentation to implement it. But that does not absolve them of the responsibility. If you have a manual (even a poor one) that notes the security issues, you are not UN-INFORMED. You ARE informed, you just don't know how to make it work.

Last night, went for a war drive. A small place, no WEP, so we decided to find out what they were packing. A Cisco 3640 Router, D-Link (cant remember specs, but it was a high end managed switch), and a WHOLE heap of unsecured computers...

Mind you, nothing had a password, and if it did, it was 'password'. All the workstations had no passwords to user accounts, and all allowed Remote Desktop Connection.

Im seriously considering calling them up, emailing them, whatnot, print out what i know. Hand it to them. Then tell them to sue the guy who setup their configs...

These guys weren't informed. They had no idea what was happening, they just knew it was working. Oh also, their accountant had a collection of movies they had been downloading, might add that in aswell

GSecur, you've tested a lot of banks. Your opinion?

/me waits

[beardednose]

You make some great points.

These guys weren't informed. They had no idea what was happening, they just knew it was working.

Here, I think you're jumping to conclusions. So you think not one person on the staff has ever heard of wireless risk? That they wanted wireless, hired someone to do it, who got it working, minus security? So no manual or anything was ever laying around and not one person in the group has even a hint of security consciousness?

It's possible (I do meet folks like this), but it is getting less likely. It's a lot like sin, hell, and death. Almost everyone has heard about God and hell, but few really take the time to truly think about it and repent.

Call me an old fool, but in today's world (to borrow from another thread of mine), I think it's unreasonable, with todays publicity about lost tapes, hacks, viruses, and security updates, for even computer-illiterate folks to continue ignoring security. Like salvation, security is a choice; neither come naturally--you have to invest some time in them--and you have to change how you live.

I believe it comes down to not wanting to deal with the hassle and the overhead that security often requires. I think it's that simple: people are uninformed because they WANT TO BE.

[myth]

Here, I think you're jumping to conclusions. So you think not one person on the staff has ever heard of wireless risk? That they wanted wireless, hired someone to do it, who got it working, minus security? So no manual or anything was ever laying around and not one person in the group has even a hint of security consciousness?

Agreed. Everyone knows of the, atleast general flow, common vulnerabilities. If they dont, then its neglect. Just really sucks watching so many people wulnerable, knowing you help them all :P

I believe it comes down to not wanting to deal with the hassle and the overhead that security often requires. I think it's that simple: people are uninformed because they WANT TO BE.

Yeah, (liked the way you ended it :P) but hell, its a full time job just trying to stay ontop of it for me.

Oh well, i learnt something in that thread :P

[aelphaeis_mangarae]

I think it is stupid to have such an argument, if a skilled attacker is trying to find his way into a network, and if he is determined enough, if one of those 3 things are lacking, he will get in.

Although out of the 3 things i would have to say the most useless would be process....and I would have to agree what most of you said, the human factor is very important, but not that much more Important than technology.

[as0l0]

if a skilled attacker

<{POST_SNAPBACK}>

you are generally not defending against skilled attackers.

[beardednose]

I think it is stupid to have such an argument, if a skilled attacker is trying to find his way into a network, and if he is determined enough, if one of those 3 things are lacking, he will get in.

But you couldn't resist getting involved...welcome to the club

The reason I brought it up is because so many people believe that tech and policy will save them....and they never train their people. Training isn't the catch-all either, but like you said, you need all 3.

[szikos]

I chose People (and their actions) because:

People choose and install security tools.
People create these tools.
People (must) decide their security policy.
Responsible People (security experts?) prevent or identify attacks.

And finally people do the attacks!

[beardednose]

And finally people do the attacks!

Well, kind of. These days, you see a lot of automated attacks (set 'em and forget 'em and come back later for the results). Sure, someone coded it and launched it, but the technology does the attacking....

And hopefully people are watching!

[Sano]

I voted for people.

For all the same reasons already stated.

[spook]

sorry that my reply is a bit late, I voted people but forgot to reply (didn't know what to say).



This social engineering article explains it
http://www.securityf...om/infocus/1527

Especially this sentence:

Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack.

It kind of prooves how dangerous social engineering is. (part II is how to combat it).

And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.”

I'll take this as an example.
Some people can really persuade people into giving your credit card information etc. Which is actually pretty scary, don't you think?

You can never be fully protected against social engineering.
Unlike technology or process.. You can pretty much always improve that.

Another thing is that all of those 3 things are related to people.

If the admin of a network was a robot who can do nothing but his work, the technology is up to date and the process are all good.
Then you could say your network is secure.

[Stephen]

Process (policies, procedures, best practices, etc.)

I chose this one because this really does cover a wide range of things if you really think about it policies covers 2 categories the network policies and the policies a corporation lays down for the employees for proper use, procedures that you take to secure a network and the employees best practices in follwing your policies

[khilari]

People all the way...

Vulnerabilities in People and its exploitations are way more likely than technical exploitations

Processes are big cause also ... the organizations must learn to implement the master policies they set and take actions on violations

[Norse]

I think that their is no one layer that is the most important. security is in place in layers because if one fails the onthers can catch ware one has failed but if you only focus on one layer all you need is one hole because you only need to get past one layer. Just my appion but their is no one layer that is more important than the others.