I'll admit it: Some days I wake up and have nothing profound to say in this blog. You could call it writer's block, or chalk it up to the simple fact that it's hard to write something of value every single day. Whatever the case, I don't like it when I have nothing to offer. So I go on Twitter in search of trouble. Useful trouble, of course.
This morning, hoping to get some discussion going (and somehow turning it into something blogworthy) I asked the question:
Of all the missteps you see daily in infosec, what outrages you the most and why?
I didn't have to wait long for a response. Nothing said surprised me, as they pertained to challenges we've been dealing with forever. But since the corporate world rarely heeds the advice of infosec professionals the first time around, some points need to be repeated often. In that spirit, let's begin with Scot A. Terban (@krypt3ia), who listed a number of pet peeves:
"Lack of willingness to make changes that will enhance security because its too hard or costs money"
"Lack of comprehension on the part of EU's running, using, governing their machines (PC's)"
"General laziness on the part of corporate managements part to actively endorse security measures"
"A general tendency for management to believe they are above security policies and ignore them"
One specific example he says he was party to: a CIO with a four-character password.. at a defense contractor. "Oh, and BTW," he added, "the CIO demanded a pre-populated login screen as well."
"Too many orgs do not understand the data/IP they own and the implications of its need for security"
"Homo sapiens are no longer on the Savannah afraid that lions will eat them. Thus they lack OPSEC"
"WE were the creators and innovators of the tech. Then we just dropped the ball. China and other countries now make tech we cannot make anymore."
David Lilja (@dlilja) added:
"When people won't follow the procedures decided upon and say: 'I've always done it like this before and nothing bad happened.'"
Edward Henry (@NetworkN3rd) said:
"Reclassing a vulnerability to get an exception approval, preventing it from being reported to higher ups"
ESP (@Chimerically) said:
"Ego, closely followed by process driven sheep /w limited understanding of the reason process they are following are in place"
Joel Snyder (@joelsnyder) said:
"Self-inflicted problems. Most common outages are caused by things the customer does to themselves"
William Beer (@wmbeer) said:
"It has to be the disconnect between InfoSec and the business and how InfoSec is always seen as the 'no man'"
Todd B. (@BeforeSecurity) said:
"A DOE CIO giving a Cyber Security keynote when he has a CISO. Security talk is cheap when it comes from the wrong source."
Tadd Axon (@grey_area) said:
"I once saw schematics for a military vehicle sent from a US automaker to a Canadian engineer... Over FTP."
Jack Daniel (@jack_daniel) said:
"Ego and arrogance of many of us in infosec are obstructions to security."
Chris Gates (@carnal0wnage) said:
"The inability/unwillingness of people to updated their knowledge base from 10 years ago to realities of today"
Nick Owen (@wikidsystems) said:
"The gap between bigco infosec and the SMBs"
Gabe The Angel (@gdbassett) said:
"Infosec people who create the problem (can't do X) but don't help find a solution"
"Infosec people who hide behind regulation because they secretly aren't smart enough to apply common sense"
"The lack of SMB solns. If they can hire ADT, someone should be able to contract infosec to them."
Gabe The Angel (@gdbassett) concluded:
"Infosec needs an 80/20 rule. 20% spent on personal infosec projects to balance the 80% you have to be humble."