Sticks and stones: Picking on users AND security pros

Sticks and stones: Picking on users AND security pros
Sticks and stones: Picking on users AND security pros 

By Bill Brenner
Senior Editor
August 25, 2010 

I took my share of name-calling as a kid. I did my share of 
name-calling, too. We're taught that nothing good comes of such 
behavior. I've been thinking a lot about that since writing an article 
two weeks ago called "Security blunders 'dumber than dog snot'" during 
the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. 
Johnston, a member of the Vulnerability Assessment Team at Argonne 
National Laboratory. In the presentation, he gave examples of surprising 
(or not) examples of what he has seen as a vulnerability assessor: 
security devices, systems and programs with little or no security -- or 
security thought -- built in. There are the well-designed security 
products foolishly configured by those who buy them, thus causing more 
vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security 
programs laden in security theater, lacking muscle and teeth. In fact, 
some policies only make some employees disgruntled because they are 
treated like fools. In turn, the company risks turning them into 
malicious insiders.

Johnston described three common problems: People forgetting to lock the 
door, people too stupid to be helped and -- worst of all -- intelligent 
people who don't exploit their abilities for the betterment of security. 
Enter what he calls the dog snot model of security-- where intelligence 
and common sense exist but are not used.


Subscribe to InfoSec News - 

Site design & layout copyright © 1986-2014 CodeGods