Risk
1/30/2008
04:49 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Four (Non) Myths Of IT Security

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.I'm still not quite sure what to make of the Symantec IT Risk Management Report Volume II that hit my inbox moments ago. But I know pure spin when I see it. Especially bad spin.

While I haven't had a chance to parse the 50-odd pages, the conclusions of the report are baffling. Even more so considering the findings are targeted toward CISOs, risk managers, as well as compliance and audit professionals. I think some of these professionals may find the report condescending, if not downright insulting.

I'll explain.

The report highlights four myths that the security vendor says it dispels. While these may be "myths" believed by the layperson, or first-year IT professionals, they're certainly not "myths that need to be dispelled" in security circles. At least not by anyone who has ever tried to walk that careful balance between business need and risk mitigation in the real world.

Now, on to the "myths":

Myth One: IT risk is security risk. Because 78% of its respondents ranked availability as a "critical" or "serious" rating of IT risk, Symantec concludes that the "emergence" of a broader view of IT security is underfoot.

Newsflash: Availability always has been a crucial part of the IT security equation, from defending against denial-of-service attacks that choke Web performance to e-mail worms that drag down communications. In fact, availability is part of the IT Security CIA triad: Confidentiality, Integrity, and Availability.

Myth Two: IT risk management is a project. I've yet to hear any chief security officer, security analyst, or even firewall administrator refer to IT risk management as a "project." In nearly every business large enough to have a CIO, risk, compliance manager, IT security and regulatory compliance are treated as long-term programs, not one-off point projects.

Myth Three: Technology alone mitigates IT risk. I dropped my ham and Swiss-cheese sandwich onto my desk when I read this rib-cracker. Again, I've not come across any CISO, chief risk officer, or industry analyst who thought -- let alone ever said -- that technology alone could mitigate IT risk. Most go by the adage that good security is about People, Process, and Technology -- in that order -- when it comes to mitigating risks. Actually, some of the best IT security and risk management technologies available are designed to keep the process in place, and protect people from themselves. And the importance of security awareness has been ranked very high in most every IT security survey I've ever read. Maybe companies should practice what they preach more habitually, but this not a "myth" to be squashed.

Myth Four: IT risk management is a science. "An emerging business discipline, not a science," is how this report describes IT risk management.

Does this need to be stated? To regard IT security and risk management "as a science" flies in the face of the very nature of the CISO or CRO function. Essentially, their job is help the business execute its mission, while keeping risk below or at tolerable levels. And these types of decisions are not scientific, and often amount to a company "gut check."

A simple example would be deciding whether a wireless LAN deployment creates more risk than business or productivity value. If the WLAN can be cost-effectively secured, a WLAN gets the green light. If not, or if the data residing on that network is too valuable to risk, the WLAN would be a no go. These types of decisions are rarely based on science.

This report is a case of the survey respondents knowing exactly what they were saying. It's the interpretation that is bad. These were not myths to be dispelled; rather, they were the early lectures one would expect to hear in Security 101. Symantec should think more highly of its customers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8148
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157
Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158
Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571
Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572
Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.