Subscribe in a reader
Dark Reading's Top 10 IT Security Myths Demystified - Part 5
Submitted by Mike Rothman on Thu, 2006-07-27 08:06.
This is it. The last day of our visitation of DR's Top 10 IT Security Myths. The link is here. Which is fine by me, since I'm pretty much tired of this myth busting. I'll leave that to the Urban Legend folks. I hope you've enjoyed the quick series and maybe even busted a myth or two yourself.
Myth #9 - Clean Bill of Health Attainable? (link here)
To be clear, this is our problem - not the auditors. Relaxing the documentation requirements won't fix things. I guess some reporting requirements are onerous, but deal with it. You need to have the data, if only to verify what you do on a daily basis and the value that you bring to the organization. As we learned in the UBS insider case, it's critical to document the stuff you do - or else the forensics folks will need to do it for you. So documentation is not a bad thing. Protection and documentation can be done synergistically. I promise.
All security folks need to get a little auditor empathy. Maybe we can make up some bracelets that say "WWAD." What would the auditor do? So when we are implementing new products or controls, we know we can get the right information out at the right time. It's usually a bad day when you figure out you don't have information as the auditor is breathing down your neck.
WWAD. Make it a mantra, and your life will be much easier. This was pretty good. B+ I say!
Myth #10 - More Spending = Better Security (link here)
What the so-called "experts" here missed was why company's engage outside resources for pen tests. It's pretty simple really. Management doesn't believe their own people. So getting someone in (even if it costs more money) to basically validate what the security folks have said is money worth spending to these folks. Sure you could do it cheaper, but that won't give answers to the muckety-mucks. Sometimes we need to do things to give answers to the muckety-mucks.
That being said, training your folks to do poor-man's pen testing and social engineering attacks is a good thing too. I don't think it's an either-or proposition here. And looking at automated pen testing products to provide more sophisticated tools for your own internal use is a good thing as well.
Then when the outside folks show up, they either won't find much or you'll already know the answers. And that's a good day, when you know (and hopefully have already asked for money to fix) all the holes.
Well, that's it. I need to get working on some of my own myths.
Myth #9 - Clean Bill of Health Attainable? (link here)
The fact is that auditors are paid to look for problems, and they usually find them, experts say.Ah, the ages old battle between security people and auditors. I do find that most organizations fail audits frequently, and then they go into a few weeks long death march to get things right. Of course, as the DR folks point it - it's usually a failure of documentation rather than a failure of controls.
To be clear, this is our problem - not the auditors. Relaxing the documentation requirements won't fix things. I guess some reporting requirements are onerous, but deal with it. You need to have the data, if only to verify what you do on a daily basis and the value that you bring to the organization. As we learned in the UBS insider case, it's critical to document the stuff you do - or else the forensics folks will need to do it for you. So documentation is not a bad thing. Protection and documentation can be done synergistically. I promise.
All security folks need to get a little auditor empathy. Maybe we can make up some bracelets that say "WWAD." What would the auditor do? So when we are implementing new products or controls, we know we can get the right information out at the right time. It's usually a bad day when you figure out you don't have information as the auditor is breathing down your neck.
WWAD. Make it a mantra, and your life will be much easier. This was pretty good. B+ I say!
Myth #10 - More Spending = Better Security (link here)
There's no real way to measure your return on investmentMan, DR really whiffed on this one. For one, the title is misleading. They are talking really about outside pen testing, not a broader security spending bucket. I do believe that more security spending does NOT lead to better security, but what does that have to do with pen testing?
from hiring white-hats to run penetration tests and stage social
engineering exploits. It's much more cost-efficient to train your own
instead.
What the so-called "experts" here missed was why company's engage outside resources for pen tests. It's pretty simple really. Management doesn't believe their own people. So getting someone in (even if it costs more money) to basically validate what the security folks have said is money worth spending to these folks. Sure you could do it cheaper, but that won't give answers to the muckety-mucks. Sometimes we need to do things to give answers to the muckety-mucks.
That being said, training your folks to do poor-man's pen testing and social engineering attacks is a good thing too. I don't think it's an either-or proposition here. And looking at automated pen testing products to provide more sophisticated tools for your own internal use is a good thing as well.
Then when the outside folks show up, they either won't find much or you'll already know the answers. And that's a good day, when you know (and hopefully have already asked for money to fix) all the holes.
Well, that's it. I need to get working on some of my own myths.
Recent comments
1 week 5 days ago
2 weeks 2 days ago
6 weeks 1 day ago
6 weeks 1 day ago
6 weeks 2 days ago
6 weeks 2 days ago
6 weeks 2 days ago
6 weeks 2 days ago
6 weeks 2 days ago
6 weeks 2 days ago