Security threats Toolkit

Don't be Stupid about security

Tags:
Security,
PI,
Stupid Security,
Privacy International

Leader ZDNet.co.uk

Published: 23 Aug 2006 15:05 BST

Privacy International, the organisation that lives to fight the abuses of government and industry, has lost patience with the rise of 'stupid security'. Liquid bans on aircraft, schools that fingerprint pupils before they can borrow a library book, rail companies that outlaw trainspotters in case they're concealing bombs beneath their anoraks. These are the kind of measures that drive PI barmy, and it wants you to expose them.

The Stupid Security awards will doubtless throw up amusing and appalling examples of excessive security measures. We believe there are plenty out there. Again and again, we see companies slip up on security because they make the same basic mistakes. So, before you force your colleagues to undergo full body searches before they enter the server room, or start backing up everyone's personal details to 25 different places so you've always got a spare copy, here's our list of common mistakes to avoid. We're sure you have better ones of your own, so Talkback at the bottom of the article to let us know what you think are the best ways to ensure appropriate and effective security, or the best examples of security gone mad.

Don't overreact
Did someone mention liquid on planes? Just because you've identified a potential threat, that doesn't mean you need to shut everything down. Just because Sue in legal has her password on a Post-it note on her screen, don't suddenly impose three levels of security checks before anyone gets onto the network.

Do a proper risk analysis
Management have rejected your very reasonable demand for a live replicated datacentre in Antigua. To use an old journalists' adage: show, don't tell. A quick demonstration based on hard figures of just how much money will be lost if the worst does happen can be the first step to a very healthy budget.

Don't assume you are secure just because you're told so
Your reports assure you that you're secure. Their reports assure them that they're secure. Suppliers assure you that you're secure once you've bought their products and services. As always, the devil is in the details. Question every detail and look at the problem (or get someone else in to look at it) from a perspective unburdened by your assumptions of how they should try to break in.

Remember the basics
You have your firewall, intrusion detection, anti-spam, antivirus, you have policies and you enforce them, you've bought into deperimeterisation, but… did you remember to lock that back door to the server room?

Think about the big picture
There's no point fingerprinting all your staff as they come in, if you're going to leave the Wi-Fi network protected only by WEP.

Have a contingency plan
Don't get caught out having to leave the server room door open (onto that back alley) when the air conditioning breaks down. We know of at least one company that did. Shocking, eh? Well, they thought they were safe, but the main aircon had never been properly tested for redundancy.

Know where your backups are
Backing up our data gives us a nice warm fuzzy feeling. But you wouldn't be the first if the one time you actually need them you can't find them or simply don't have access.

Try restoring your backups before you have to
Go on, just try. And time quite how long it takes. And then work out how much it would cost if your company was unable to do business for that length of time.

Are you secure if one layer of your security fails?
Things are going to fail, even if you do everything right. All it takes is a security flaw in, say, Intel's wireless technology and you're open to attack. Deperimeterisation is a mouthful, but considering how to make each packet of data intrinsically secure could save your bacon.

Plan for incompetence, as well as malice
Never assume "they couldn't be that stupid, could they?", because they can be. You're far more likely to lose data through people messing up than you are through an attacker.

And take human nature into account
Think of users as a river: they'll take the easiest route to their destination, whether that is logging on or using a particular service. Enforce strong passwords or too-frequent changes and your users will be unable to remember them, so you'll end up with a plague of Post-it notes on monitors. One of the PI awards is for most egregious security measure; be careful not to introduce measures that are so overreaching, fiddly and unpopular that users just rebel against them.