visiting 5 (or maybe just 2) security pet peeves

A blog article over on ZDNet lists 5 IT security pet peeves. I thought I’d tackle them.

Too many people still believe ignorance is an effective security strategy. – I’m not sure so many people actively believe in this strategy so much as they are just that way. The same mindset that when your toaster breaks, you wait and try 10 more times hoping the issue just goes away and it magically works tomorrow. Or the old cliche of see no evil… Or the other habit that we have of saying something won’t happen to us. Sadly, the author dives headfirst with eyes closed into the “security/obscurity” topic and just ends up sounding closed-minded. Watch how you word these things, please. There *is* value in obscurity, to an extent. The correct phrase is not to achieve security through obscurity only.

People who know nothing about IT security have godlike power over matters of IT security policy. – The examples given (congress, judges, law enforcement…) reek of an “IT guy” who only really pays attention to cnn.com issues as a consumer. Sure, he can manage his home all-in-one fax and 2 laptops on his home DSL…

Anyway, despite the tone, I think this item should otherwise hit the nail squarely, and is related to the first bullet. There are too many people who wield significant power over IT security that should have no business mucking in it other than as an overall business strategic concern. And while there are execs who will say they stay strategic and let their minions do things (yay!), there is also that undercurrent of productivity pressure, top-down, that will steal away valuable analyst time from actually verifying and maintaining security. Ever try to explain to a non-technical person the art of investigating a single IPS alert? You lose them in 30 seconds every time. But 2 days later they wonder why you spend more than 5 minutes on a mysterious alert that could portend ominous happenings on the wire. These same people wonder why you can’t just set up logs and never, ever read them. “But we gather them, right? Oh, it broke 5 months ago and we never knew because we don’t check them? Oh…shit.”

I had more to say about the rest of his bullet points, but have decided to leave it at a summary judgement. The rest of the bullet points reeks of a non-corporate person who runs his home network and otherwise plays backseat IT guy. They’re also narrow-sighted consumerland items that make him seem inexperienced and annoyed that his social network browsing is interrupted now and then by kiddies. (And yes, I have feelings on both sides of the fence when it comes to visibility into communication.)