A few weeks ago I was at a symposium and they were talking about how networks kept falling victim to the same attacks and vulnerabilities; attacks and vulnerabilities that we were discussing three years ago. It makes me wonder what goes through peoples heads. Why are we still having the same problems that we were having three years ago. I fully understand, and support the argument that the operating systems that we use should not simply accept and run executables from any device that is plugged in. But why is it that people simply ignore policy? It’s not like policies are hard to follow, I believe that people are just lazy. I believe that the line of thought is, ”I waited until the last minute to do this brief and I don’t have time to move files between security domains the right way so I’m just going to use this USB stick I got at the local market to do it.” I really hope I’m wrong about that but given the fact that it keeps happening means that I’m probably right.
After hearing about how networks keep falling to the same things it makes me a little down, and that made me start to think about working in network defense/information security and I believe that there are phases that one goes through as they work in this field and I think that they are similar the the five stages of grief.
So here are what I believe are the five stages of working in information security are:
Denial: My network isn’t vulnerable, I have firewalls, antivirus and all of my users follow the prescribed security policy.
Anger: Why don’t any of you follow the policy! becuase you keep using USB devices and clicking on links in phishing and spam emails the network keeps getting compromised!
Ultimatums: The next person who does something against policy is going to get into a lot of trouble! Seriously, they may even receive a written counseling.
Depression: The users are never going to get it, they just don’t care about security, they don’t even care about their own security because they keep clicking on malicious links, they keep posting their personal information online for the world to see.
Acceptance: Perhaps it’s just time to find a new job. Maybe something less stressful like lion tamer or cat herder.
Do any of you have any ideas to add to or change on this list? Let me know in the comments.
Where does the serious alcohol consumption fall?
But the arguments on the Anger aspect come back to the Mangiot Line argument; the attack comes from inside those border defenses. As more and more critical infrastructure gets moved outside that border, this will be less and less of an issue. I was talking to someone a few weeks ago; he was absolutely incredulous that I said I was skeptical about seeing a locally-hosted E-Mail server in ten years.
I agree with you that in 10 years anyone will be running their own email servers. I think offloading that to someone else will become the norm especially when you consider the management overhead when you consider the cost and overhead of storing all of those messages to contend with regulatory compliance. If you have concerns of security, i.e. someone intercepting the communications, first remember that it’s the Internet, anything going across the wire cleartext can be read by almost anyone, simple implementation of PKI will solve the security/intercept problem.
As for the alcohol consumption, eh that probably starts at phase two and ends after phase five.
Pingback: Confessions of a security geek - Loosing our religion.