I have compiled a list of what I believe are the biggest lies told by and about infosec. Let me know if you have an addition to the list!
5. There is no evidence that the data has been misused….
This lie is typically told by a company that has just had their digital posteriors handed to them. The first question that I want to ask upon hearing this one is:
“So… wait… you were completely unable to detect the intruders that were playing around in your own systems for 3 or 4 months, but now all of a sudden you can tell across the entire globe if the information is being misused?”
4. It was a sophisticated attack….
The biggest problem is deciding if this lie is being told by the party that was breached, or the media. For some reason the media classifies everything as “hacked”, even when it isn’t. You can add to this that the party that has been breached has two things working against it:
1. Who wants to admit they were breached by something stupid? If you are going to be breached you want it to be the most sophisticated, complex attack known to man.
2. The “mouthpiece” for the organization that was breached likely doesn’t understand the technical issues themselves.
3. Of course it is secure – the (Military/Law Enforcement/Government) uses this, so it has to be….
I was asked by a client to sit in a product demonstration not too long ago, and the vendor’s mouthpiece kept harping on the fact that “This is so secure, NASA uses it!”. They were more than a little crestfallen when I demonstrated for them that they were sending their username/password in Base64 decoded format for the entire world to see – and then the page was moving to SSL encryption (on an expired certificate).
The lesson here? Just because no one has questioned it, doesn’t make it secure.
2.We have “Insert favorite technology here” so we know we are all set….
My first response to this usually is: “Tell me/Show me the specific policy/procedure that your favorite technology is in place to support. What about the policy and procedure that governs support of the technology?” The largest portion of the time an organization is completely unable to do this simple exercise.
Infosec technology that does not support policy and procedure is pretty much meaningless – at best you have wasted money, at worst you have created yet another attack vector through a mis-managed, poorly understood device.
1. We are compliant with (HIPAA, GLB, Sarbannes-Oxley, PCI, etc.) so we know we are secure….
Ummm… so was Heartland…. Do we really need to go down this road?