10 major misconceptions and erroneous statements in information security (infosec)

© Wildhaber Consulting, Zürich 201131

10 major misconceptions and erroneous beliefs about information security

(Infosec)

Written by:Bruno Wildhaber & Rolf Oppliger

Full article available at: http://www.amazon.de/Misconceptions-Computer-Information-Security-

ebook/dp/B006UGHYRK

Freitag, 4. Oktober 13


FACTis

2

All Important Information MUST & CAN be Secured

• Organisation don't know their assets

• Organisations protect only 5 to 10 % of their data

• Only structured information is secured

• Unstructured information is not touched and not classified

• Organisations. collect data in "digital landfills", instead of managing information information properly

• Without proper data identification at the source there is no information security



FACTis

3

The Internet Can Be Secured

• The Internet was never meant to be secure(d)

• Not even parts of the Internet can be secured

• Even a layered security model will not enable sufficient security

• There is nothing like "a secure Cloud"

• But End2end security is viable



FACTis

4

There Is Not Enough Money For Infosec

• InfoSec budgets have increased disproportionately over the last 10 years

• IT budgets have been frozen, Security budgets not

• Absolute figures: Approx. 80 bil. was spent on InfoSec in 2012 (8% more than 2011)



FACTis

5

InfoSec Certifications (such As ISO27001) Increase Infosec

• Implementers and auditors focus on controls, not on the management system

• All management systems should be implemented top down, real implementations go vice versa

• Only weak organisations get certified

• Countless standards lead to de-sensibilization of the organisations

• Standards favour inefficient and clumsy organisations

•



FACTis

6

IT Risk Can Be Managed

• There are no values for 95% percent of all InoSec risk which would allow to calculate the risk

• You can only manage what you can measure

• Only project risk can be measured

• Most actual risk methods are inappropriate, even dangerous because of their credibility

• A fool with a tool is still a fool



FACTis

7

The Identification Challenge Is Not Solved

• Identity threat is an important issue, because identity has a value

• This is a risk based approach: Identification only increases if potential damage of the provider increases significantly (credit card or ATM discussion)

• Digital Signatures could be implemented, but nobody wants to carry the cost

• Potential risk is to low

• The real challenge lies in cross border transactions awareness of users



FACTis

8

Digital Signatures Are Obsolete

• Identification has not reached the necessary levels

• Threats will increase, thus does demand for better identity management features

• Government will be forced to build national identity systems

• Trust will be delivered to trusted groups and peers



FACTis

9

There Must Be More Prevention

• There is too much prevention

• The control/measure triangle is 85% on prevention, 5% on monitoring and 10% on recovery

• Reduce prevention but increase monitoring

• Focus on important controls (80% - 20%)

• Neglect non important risk



FACTis

10

There Is A ROI On Infosec

• InfoSec is about Risk management and not about making money

• No security measure can produce value

• Security can only protect and defend, but not create

• Nobody would hire a bodyguard with the intention of creating a business case

• ROSI is an insult to the experienced manager



FACTis

11

InfoSec Needs The "Need To Know" Principle

• Biggest misconception in commercial InfoSec

• Data must flow to release potential, e.g to create value; this is true for 98% of all data

• Need to know is only applicable to classified (confidential) information

• All other information must flow freely



FACTis

12

Firewalls Are An Appropriate Security Measure

• Firewalls have always been an inappropriate measure to re-establish the IT fortress

• Firewalls are based on an ancient security approach

• Firewalls are an in-house measure, not appropriate for Internet or open network transactions



FACTis

13

End User Devices Can Be Secured

• PCs and other devices can neither be secured nor controlled

• YOU MUST NOT blame the enduser!!!• Don't whinge about insecure devices.. just take it as a fact!

• The end user defines the device he/she wants to use

• Business will define the security level

• IT must support all devices (support or perish..)

• Cloud computing will support business users

• Implement end2end security



FACTis

Contact

Wildhaber ConsultingGlatt Tower8301 GlattzentrumSwitzerland

www.wildhaber.comTwitter: @brwildhaber

Secure Mail: https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg

NEWS Information Governance News

14


https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg

https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg

http://paper.li/brwildhaber/1333794070?utm_source=subscription&utm_medium=email&utm_campaign=paper_sub

http://paper.li/brwildhaber/1333794070?utm_source=subscription&utm_medium=email&utm_campaign=paper_sub