Friday, September 9, 2011
9 Convenient Lies in Information Security
Organizations sometimes “stretch the truth” regarding their ability to safeguard data, protect systems or offer other assurances related to information security. The crux of the problem is that implementing security is hard, as is explaining the effectiveness and roles of various controls. So we’re often left with promises or recommendations that can, at best, be seen as having an optimistic perspective on security.
Here are some of the statements that might often be considered lies, half-truths or idealistic simplifications…
Your data is secure because:
We use bank-level 128-bit AES encryption. Encryption by itself is insufficient, as there are numerous other ways in which data can be put at risk.
We are compliant with applicable industry regulations. The compliance status demonstrates that a set of practices is being followed, but doesn’t address all necessary security measures.
We have a security seal to demonstrate that we passed a security scan. Such scans are often limited in the weaknesses that they examine, potentially leaving the organization to numerous other attack vectors.
Protect yourself on-line by:
Not opening email attachments from suspicious senders. People often receive legitimate attachments from unknown senders, yet have no basis for determining what is suspicious.
Not clicking on links in email messages. People are often in the hurry or are multitasking, which makes it too tempting to click a link rather than attempting to re-type it.
Selecting a “strong” password. Opinions vary on what constitutes a “strong” password; also, by selecting one that’s hard to remember, people are more likely to reuse it across sites and applications, increasing the risk that one compromise might grant the attacker access to other resources.
Your data is safe with our employees because:
We conduct background checks. A “clean” record doesn’t guarantee that the person will exhibit ethical behavior in the future; also, many background checks are quite limited in their scope.
We provide mandatory security awareness training. Many training programs don’t affect employees’ security-related behavior; also, participating in the session doesn’t imply that the employee absorbed the material.
We have a security policy. Security policies seem to be rarely read and more rarely understood; also, the existence of security policies doesn’t imply that they are being followed.
When you see or hear the claims above, dig deeper to understand their meaning. When you hear security advice, ponder whether it is practical. If you are tempted to offer untruths to users or customers, make sure they are accurate and provide additional details where relevant and appropriate.