Why enterprise security practices “aren’t worth the paper they’re printed on”

“This should be humiliating for the whole information security industry. We need another way.”

Every now and then, a large organisation in the media spotlight will experience the special pain of having a password accidentally revealed in the background of a photograph or TV spot.

Most recently at a British national rail control room, and before that, in the Superbowl nerve centre and an emergency response agency.

“Security folks love their schadenfreude but what are we to make of these SNAFUs?” observes Steve Wilson, research analyst, Constellation Research.

“Of course, nobody is perfect. And some plumbers have leaky taps.”

But for Wilson, these cases hold much deeper lessons.

“These are often critical infrastructure providers (consider that on financial grounds, there may be more at stake in Superbowl operations than the railways),” he outlines.

“The outfits making kindergarten security mistakes will have been audited many times over. So how on earth do they pass?”

Posting passwords on the wall is not a random error - it's systemic, claims Wilson, who believes that some administrators “do it out of habit, or desperation.”

“They know it's wrong, but they do it anyway, and they do it with such regularity it gets caught on TV,” he adds.

“I really want to know if none of the security auditors at any of these organisations ever noticed the passwords in plain view?

“Or do the personnel do a quick clean up on the morning of each audit, only to revert to reality in between audits?

“Either way, here's yet more proof that security audit, frankly, is a sick joke. And that security practices aren't worth the paper they're printed on.”

Wilson believes security orthodoxy holds that people and process are more fundamental than technology, and that people are the weakest link.

“That's why we have security management processes and security audits,” he explains.

“It's why whole industries have been built around security process standards like ISO 27000. So it's unfathomable to me that companies with passwords caught on camera can have have ever passed their audits.”

For Wilson, security isn't what people think it is. Instead of meticulous procedures and hawk-eyed inspections, he believes too often it's just simple people going through the motions.

So much so that Wilson claims security isn't intellectually secure.

“The things we do in the name of "security" don't make us secure,” he adds. “Let's not dismiss password flashing as a temporary embarrassment for some poor unfortunates.

“This should be humiliating for the whole information security industry. We need another way.”

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

Tags Constellation Researchsecuritymalware

More about ISO

Show Comments