Reply From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 22 Sep 1998, mea culpa wrote:
> Despite statements of strong support for information security by top
> management, an astonishing number of companies fail to take the most
> basic steps to protect themselves from hackers, disgruntled employees
> and industrial spies.
This comes as little surprise. Security is rarely handled in a
proactive manner in the government, educational or commercial sectors. In
my experience, the only people who actually tend to be passionate about
security are those who possess the ability to defeat it. As many people
who are "in charge" of computer and network security do not possess these
skills (and I will refrain from any untoward comments involving the "Peter
Principle"), security is often sacrificed in the name of convenience and
hubris.
Further, most institutions don't want to pay for good security.
As a consequence, they pay for their lack of vision later down the line
when their systems and networks are breached. The notion of a "digital
Pearl Harbor" may be melodramatic and overused, but any fool can see that
the lines are buzzing with Zeros 24 hours a day, 7 days a week, 52 weeks a
year.
> Of those surveyed, 84% said their senior management believes that
> information security is "important" or "extremely important." But the
> following results indicate that that concern isn't translating into
> action:
>
> * Forty-one percent said they don't have
> formal security policies.
> * Three-quarters said they have no
> incident response plans.
> * More than half said they lack disaster
> recovery plans.
> * More than a third said they don't
> monitor their networks for suspicious
> activity.
> * Fewer than one in five use encryption
> technology to safeguard sensitive
> information.
What's truly sad about this unfortunate state of affairs is that
there's already a blueprint available that can resolve almost 99% of these
fundamental deficiencies: RFC 2196 - Site Security Handbook. (Available
via http://www2.hunter.com/docs/rfc/rfc2196.html.)
Alas, experience has taught me time and again that just because
someone is running a server doesn't mean they *should* be. All too often,
the truly critical tasks of information technology and security have been
relegated to the status of "someone else's job."
And just as all important tasks are overlooked until it's too
late, so computer and network security is resigned to a similar fate.
Everybody knows that somebody should do it, but nobody dares to take the
initiative, lest they step on somebody else's toes.
'Round and 'round it goes. Like a dog chasing its tail.
- -Jay
( ______
)) .-- "There's always time for a good cup of coffee" --. >===<--.
C|~~| (>- Jay D. Dyson - jdyson@techreports.jpl.nasa.gov -<) | = |-'
`--' `--- Just what the truth is, I can't say anymore. ---' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNggDcLl5qZylQQm1AQHmAQP6AwlEOAQKSQ1DYe0YUT/pCZaRSE5X/SiV
W342oBdjZGulzL68datbG3mufQS37+hhKqxtvw0aoJgQ6P0VcpXm05KtBOcCFRyj
kWWjaHAO/g9jHPIc05dcBTj+tsrJuh+dqccgtK1o7n1KlsyqC8LOD31wjZZzxetd
4HHMfn+6IMo=
=CdqU
-----END PGP SIGNATURE-----
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Sep 23 12:22:58 1998