[Am-info] PLAYING PERCENTAGES

[Fred A. Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PLAYING PERCENTAGES

Posted July 19, 2002 01:01 PM  Pacific Time


IT'S SUMMER SURVEY time again, and the folks at the
System Administration, Networking, and Security (SANS)
Institute recently sent me some numbers that were food
for thought. Back in April, SANS asked 1,220 security
professionals to list the reasons IT security tends to
be weak.

Why did I find the answers so interesting? Look for
yourself: Nearly two-thirds (64 percent) of the
respondents blame management for skimping on budgets
and undermining security efforts. Almost half (47
percent) blame end-users who don't understand their
responsibilities and vendors that ship products with
insecure default settings or known security holes.

Two out of five respondents (41 percent) think that the
absence of commonly accepted security standards leads
to weak security. Concerns also extend to the lack of
effective risk assessments (39 percent), existence of
attackers constantly looking for vulnerabilities (38
percent), and a shortage of trained security
professionals (also 38 percent).

Finally, slightly more than a third (34 percent) feel
that unrealistic security policies weaken security,
and roughly one in five (19 percent) blame security
vendors for promising more than they can deliver.

There are some good points here, but a couple of bogus
ones as well.

Let's start with the alleged lack of commonly accepted
standards. In this business, most of the best
practices are just common sense. Although the severity
of risk varies from one platform to the next, basics
remain basics.

Another false argument focuses on the attackers.
Blaming them for weak security is like blaming the
burglar who can't resist taking the projection TV
because you left the patio door open while you went
shopping. I'm not defending attackers or burglars,
mind you, but too many people don't take
responsibility for their own negligence.

Ordinarily, I'd say that blaming the bosses and their
policies is a bogus excuse, but experience tells me
that executive neglect or interference  happens far
too often. I feel the same conflict about holding
end-users responsible for their actions; I've seen so
many boneheaded moves that I'm no longer surprised,
just amused.

But there are real concerns here that aren't going to
be addressed by anyone outside the security community.
Take the complaints about a lack of trained security
personnel and the lack of effective risk assessments.
I can understand the dilemma faced by IT managers who
invest in their employees' training only to see them
lured away. The only solution to both problems is to
keep training IT security specialists until
there's a glut.

And even though vendors that promise too much are a
problem, shouldn't the customer bear some
responsibility? Caveat emptor still applies.

Ultimately, corporate IT is responsible for security.
As I've said before, it would help if vendors shipped
their products in the most secure configuration. But
that's another column.

P.J. Connolly (pj_connolly@infoworld.com) covers
collaboration, operating systems, and security for the
InfoWorld Test Center.

- --=20
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org
- --- SuSE Linux v8.0 Pro, KMail 3.0.1---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1AWQwACgkQB9vk4ichYXcdTgCfTO8Za0SGqZBreDrG2AROaE7b
tGMAoLC0w/BumdVI+Z8BuolXXchhSon8
=3DQinH
-----END PGP SIGNATURE-----