View
516
Download
1
Category
Preview:
DESCRIPTION
This is a slide set / summary of an article which was written by Rolf Oppliger and Bruno Wildhaber There are many misconceptions in computer and information security that deceive the view on reality. But to make meaningful security decisions, it is important and key to know and truly understand the misconceptions commonly found in computer and information security. In this article, we outline and discuss the misconceptions we think are most common and influential. We divide the misconceptions into three groups, namely social and behavioral misconceptions, technical misconceptions, and false estimations The aim of the article is to prepare the stage and provide a better understanding for all questions and answers related to computer and information security. Rolf Oppliger and Bruno Wildhaber are Information Security practitioners with many years of academic and practical experience with private and public organizations. All the misconcep-tions in this article have been encountered many times and in different constellations. Full article available at AMAZON
Citation preview
© Wildhaber Consulting, Zürich 201131
10 major misconceptions and erroneous beliefs about information security
(Infosec)
Written by:Bruno Wildhaber & Rolf Oppliger
Full article available at: http://www.amazon.de/Misconceptions-Computer-Information-Security-
ebook/dp/B006UGHYRK
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
2
All Important Information MUST & CAN be Secured
• Organisation don't know their assets
• Organisations protect only 5 to 10 % of their data
• Only structured information is secured
• Unstructured information is not touched and not classified
• Organisations. collect data in "digital landfills", instead of managing information information properly
• Without proper data identification at the source there is no information security
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
3
The Internet Can Be Secured
• The Internet was never meant to be secure(d)
• Not even parts of the Internet can be secured
• Even a layered security model will not enable sufficient security
• There is nothing like "a secure Cloud"
• But End2end security is viable
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
4
There Is Not Enough Money For Infosec
• InfoSec budgets have increased disproportionately over the last 10 years
• IT budgets have been frozen, Security budgets not
• Absolute figures: Approx. 80 bil. was spent on InfoSec in 2012 (8% more than 2011)
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
5
InfoSec Certifications (such As ISO27001) Increase Infosec
• Implementers and auditors focus on controls, not on the management system
• All management systems should be implemented top down, real implementations go vice versa
• Only weak organisations get certified
• Countless standards lead to de-sensibilization of the organisations
• Standards favour inefficient and clumsy organisations
•
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
6
IT Risk Can Be Managed
• There are no values for 95% percent of all InoSec risk which would allow to calculate the risk
• You can only manage what you can measure
• Only project risk can be measured
• Most actual risk methods are inappropriate, even dangerous because of their credibility
• A fool with a tool is still a fool
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
7
The Identification Challenge Is Not Solved
• Identity threat is an important issue, because identity has a value
• This is a risk based approach: Identification only increases if potential damage of the provider increases significantly (credit card or ATM discussion)
• Digital Signatures could be implemented, but nobody wants to carry the cost
• Potential risk is to low
• The real challenge lies in cross border transactions awareness of users
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
8
Digital Signatures Are Obsolete
• Identification has not reached the necessary levels
• Threats will increase, thus does demand for better identity management features
• Government will be forced to build national identity systems
• Trust will be delivered to trusted groups and peers
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
9
There Must Be More Prevention
• There is too much prevention
• The control/measure triangle is 85% on prevention, 5% on monitoring and 10% on recovery
• Reduce prevention but increase monitoring
• Focus on important controls (80% - 20%)
• Neglect non important risk
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
10
There Is A ROI On Infosec
• InfoSec is about Risk management and not about making money
• No security measure can produce value
• Security can only protect and defend, but not create
• Nobody would hire a bodyguard with the intention of creating a business case
• ROSI is an insult to the experienced manager
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
11
InfoSec Needs The "Need To Know" Principle
• Biggest misconception in commercial InfoSec
• Data must flow to release potential, e.g to create value; this is true for 98% of all data
• Need to know is only applicable to classified (confidential) information
• All other information must flow freely
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
12
Firewalls Are An Appropriate Security Measure
• Firewalls have always been an inappropriate measure to re-establish the IT fortress
• Firewalls are based on an ancient security approach
• Firewalls are an in-house measure, not appropriate for Internet or open network transactions
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
13
End User Devices Can Be Secured
• PCs and other devices can neither be secured nor controlled
• YOU MUST NOT blame the enduser!!!• Don't whinge about insecure devices.. just take it as a fact!
• The end user defines the device he/she wants to use
• Business will define the security level
• IT must support all devices (support or perish..)
• Cloud computing will support business users
• Implement end2end security
Freitag, 4. Oktober 13
© Wildhaber Consulting, Zürich 20113
FACTis
Contact
Wildhaber ConsultingGlatt Tower8301 GlattzentrumSwitzerland
www.wildhaber.comTwitter: @brwildhaber
Secure Mail: https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg
NEWS Information Governance News
14
Freitag, 4. Oktober 13
Recommended