10 major misconceptions and erroneous statements in information security (infosec)
Post on 08-May-2015
516 Views
Preview:
DESCRIPTION
TRANSCRIPT
© Wildhaber Consulting, Zürich 201131
10 major misconceptions and erroneous beliefs about information security
(Infosec)
Written by:Bruno Wildhaber & Rolf Oppliger
Full article available at: http://www.amazon.de/Misconceptions-Computer-Information-Security-
ebook/dp/B006UGHYRK
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
2
All Important Information MUST & CAN be Secured
• Organisation don't know their assets
• Organisations protect only 5 to 10 % of their data
• Only structured information is secured
• Unstructured information is not touched and not classified
• Organisations. collect data in "digital landfills", instead of managing information information properly
• Without proper data identification at the source there is no information security
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
3
The Internet Can Be Secured
• The Internet was never meant to be secure(d)
• Not even parts of the Internet can be secured
• Even a layered security model will not enable sufficient security
• There is nothing like "a secure Cloud"
• But End2end security is viable
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
4
There Is Not Enough Money For Infosec
• InfoSec budgets have increased disproportionately over the last 10 years
• IT budgets have been frozen, Security budgets not
• Absolute figures: Approx. 80 bil. was spent on InfoSec in 2012 (8% more than 2011)
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
5
InfoSec Certifications (such As ISO27001) Increase Infosec
• Implementers and auditors focus on controls, not on the management system
• All management systems should be implemented top down, real implementations go vice versa
• Only weak organisations get certified
• Countless standards lead to de-sensibilization of the organisations
• Standards favour inefficient and clumsy organisations
•
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
6
IT Risk Can Be Managed
• There are no values for 95% percent of all InoSec risk which would allow to calculate the risk
• You can only manage what you can measure
• Only project risk can be measured
• Most actual risk methods are inappropriate, even dangerous because of their credibility
• A fool with a tool is still a fool
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
7
The Identification Challenge Is Not Solved
• Identity threat is an important issue, because identity has a value
• This is a risk based approach: Identification only increases if potential damage of the provider increases significantly (credit card or ATM discussion)
• Digital Signatures could be implemented, but nobody wants to carry the cost
• Potential risk is to low
• The real challenge lies in cross border transactions awareness of users
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
8
Digital Signatures Are Obsolete
• Identification has not reached the necessary levels
• Threats will increase, thus does demand for better identity management features
• Government will be forced to build national identity systems
• Trust will be delivered to trusted groups and peers
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
9
There Must Be More Prevention
• There is too much prevention
• The control/measure triangle is 85% on prevention, 5% on monitoring and 10% on recovery
• Reduce prevention but increase monitoring
• Focus on important controls (80% - 20%)
• Neglect non important risk
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
10
There Is A ROI On Infosec
• InfoSec is about Risk management and not about making money
• No security measure can produce value
• Security can only protect and defend, but not create
• Nobody would hire a bodyguard with the intention of creating a business case
• ROSI is an insult to the experienced manager
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
11
InfoSec Needs The "Need To Know" Principle
• Biggest misconception in commercial InfoSec
• Data must flow to release potential, e.g to create value; this is true for 98% of all data
• Need to know is only applicable to classified (confidential) information
• All other information must flow freely
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
12
Firewalls Are An Appropriate Security Measure
• Firewalls have always been an inappropriate measure to re-establish the IT fortress
• Firewalls are based on an ancient security approach
• Firewalls are an in-house measure, not appropriate for Internet or open network transactions
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
13
End User Devices Can Be Secured
• PCs and other devices can neither be secured nor controlled
• YOU MUST NOT blame the enduser!!!• Don't whinge about insecure devices.. just take it as a fact!
• The end user defines the device he/she wants to use
• Business will define the security level
• IT must support all devices (support or perish..)
• Cloud computing will support business users
• Implement end2end security
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
Contact
Wildhaber ConsultingGlatt Tower8301 GlattzentrumSwitzerland
www.wildhaber.comTwitter: @brwildhaber
Secure Mail: https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg
NEWS Information Governance News
14
Freitag, 4. Oktober 13
top related