Information Security: Managing the Legal Risks

I recently picked up a copy of Information Security: Managing the Legal Risks by Nick Gifford. What caught my attention is that it is written from an Australian point of view, which seems rare as most books that deal with the legal aspects of InfoSec are heavily US-centric.

I'll post a review once I have a chance to have a good read.

Security is hard right?

Security is hard right? It must be or everybody would be doing it right. OWASP have released their new Top 10 web vulnerabilites for 2010, which still contains 7 of the items in the top 10 from 2007 and 6 items from the 2004 top ten. Progress in educating developers and eliminating some of the biggest threats seems slow. I'm not sure why.

I (along fellow Security Circus poster Richard) recently spent a day working our way through some rather incomplete and arcane documentation from a large software vendor trying to determine how they required SSL to be implemented between both the seperate elements of their product and the endpoint clients.
Between poor documentation, requiring OpenSSL & Java KeyStore/keytool and the software not trusting common 3rd-party CAs (such as Verisign), it was a long and frustrating experience. And that was for two guys with a reasonable understanding of PKI. For a developer or sysadmin who was new to security or unsure about PKI in general it would have been a nightmare.

The knowledgebase for the product was not much better, leaving me with little doubt that while many people may understand the need for security, the 'how' can be sorely lacking - and is not helped when the software developer/vendor (or integrator) seems to have little grasp of security themselves - or a disinclination to explain the details to their customers.

It reminds me a little of a UNIX sysadmin I worked with many years ago, before I was full-time in IT, who was so secretive about the system and how it worked he had three assistants quit in 12 months out of frustration. Was it secretive paranoia or simply keeping the 'knowledge' to himself as a power trip? (personally I suspect the latter...)

While there are always elements of security and IT in general that require secrecy, the how is not one of them. Explaining how to implement security so even a home user (or my Mom!*) can easily understand it and follow the steps is a good thing.

*Actually my Mom isn't too bad with her PC!

Sick hospitals

So maybe I was a little harsh on singling out the Waikato District Health in an earlier post about a conficker outbreak, as it seems a couple of hospitals of the NHS (National Health System) in the UK have since suffered the same problem as have Manchester Police.

As much as Security pros may preach the message to end users about opening attachments from unknown senders or downloading software from dodgey sites can it be that we haven't been focusing enough on ensuring the IT Admins have heard the security message? There may be other circumstances, such as the usual under-resourcing (do more with less!) or management negligence, but surely patching and AV are the very basics that every admin understands?

Even if the worm was introduced via USB, which seems to be the case, other simple precautions such as disabling autorun can greatly limit your exposure. Going further, limiting the use of USB storage (both who has access and what type of drives can be used) provides further protection.

If businesses (and government bodies) haven't taken the basic steps to protect themselves from the most highly publicized virus/worm of recent years, it doesn't bode well for protecting against threats that aren't as highly visible in the mainstream media.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme