If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend reading The theft of 1.5 million patient records, including those of Singapore's Prime Minister, from the city state's SingHealth hospital group by hackers could probably have been stopped had the IT department not been so useless, an inquiry has found. In July, citizens were notified that miscreants had siphoned massive amounts of …
“having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise”
“Four hundred and fifty four pages to say someone opened a compromised email attachment, containing a word document, that ran a VB macro, that installed remote control software on a ‘computer’”
Just keep a paper trail of your recommendations, suggested workarounds, and potential outcomes if nothing is done (in plain language), along with their refusals.
Document these known issues in your infra docs, with reasons why they exist. Increase monitoring+logging in those areas. Prepare for the post-incident audit before it happens.
Arse covering.
The opposite of security is not insecurity. The opposite of security is overly convenient.
The issues described in this article probably apply to 99.9999% of all IT systems operators in the world.
When I do interviews of prospective vendors I always ask the question "Do you have staff dedicated 100% to operational security (not including compliance) or is security everyone's responsibility?"
The competent ones answer "Both."
The dumb ones enthusiastically respond "No. Security is everyone's responsibility!"
When something is everyone's responsibility it's no one's responsibility.
"Getting IT staff to use it would be hard too. Many of mine would agree with it on principle but then spit the dummy when it's implemented."
Demand management implement it and if they won't then I'd find somewhere else to work 'cos if you stay there much longer you'll be looking for another job anyway, especially when the company gets hacked and goes up the swanny!
Trust me, it's usually a load of people generally whinging for no good reason. If you force security tighenting most of them will shut up after a week or so anyway. You're failing at your job is you don't enforce it, or at least make a proper recommendation in writing to management to implement. I'm sure you'll find a governing body that will demand your company protect the data it has, and of course there's always GDPR. In in the finance industry is an offence to not comply plus your company's reputation can be downgraded by various agencies if external auditors determine you have not secured your company data enough.
Trust me this is more important than a few whingers, do it before you find yourself holding a P45!
"and of course there's always GDPR. In in the finance industry is an offence to not comply"
In both cases: Unless criminal/civil responsibilty falls _personally_ on manglement, they're unlikely to care.
It's the threat of finding _themselves_ in the dock which works the best at betting things fixed.
Often by security employees who don't understand real security.
When you see companies allowing their employees to send password encrypted zip files with the password in the same email, or web censoring software that prevents access to innocuous sites but fails to block dangerous ones, you realise it's just lip service.
And generally, lessons aren't learnt. They're just covered up.
As you rightly suggest security is not simply implementing a few systems to protect other systems, it's a whole system of changing minds, changing attitudes, implementing tools, utilities, implementing reporting and making people responsible for implementing and maintaining security as a company wide blanket, not just a few band-aids.
It all falls apart because PHBs think security is simply forking out for a couple of copies of Kaspersky on PCs and everything is cosy again, that's usually a company you don't want to put your money in!
It's too damn difficult to enable Citrix services over the Internet through a web proxy--without mucking up security, and no one ever seems to have Citrix support to address that garbage--so I'm always having to reverse engineer that crap. No wonder that was part of the problem. Yeah, I'm a proxy admin, and Citrix is a serious thorn in my side, and I wish policy out-and-out forbade it. Time to grow up and get your sh*t in order Citrix.
"I wish policy out-and-out forbade it."
In sensible places (ie: not yours) policy DOES.
Along with a bunch of other "convenience" services which compromise OUR security whilst increasing your convenience or allow other organisations to maintain their security facades.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
