Tag Archive: idiocy


2009 – An interesting year for Information Security

Filed Under: Uncategorized by Mathew — Leave a comment
January 20, 2009

I just hope I’m not guilty of too many of the points listed – I think it’s about time I put together some new IS policies and put them on paper… I think I should, as the ultimate advocate among people I know, highlight the ones I’m guilty of, display them publicly and embarrass myself in to changing my ways!

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don’t give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don’t have to worry about security, because your company is too small or insignificant.
  • Assume you’re secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as “top secret.”

Security Practices

  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say “no” whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don’t apprise your manager of the security problems your efforts have avoided.
  • Don’t cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

List taken from http://isc.sans.org/diary.html?storyid=5644

Tags: , , , , , , , , , , , , , ,
Comment

Ruckenstein, you’re going down.

Filed Under: Uncategorized by Mathew — Leave a comment
October 1, 2008

How do I begin this? Following is a story that goes from genuine accusations of “loudness” (if I had my music loud at some point, fair enough…) to false accusations of loudness to just plain stalking* and harassment.

For the past couple of months, I’ve been harassed by one of my neighbours for “being too loud”.

If I have people over for quiet drinks on a Friday (or any other day), she complains.

If I have guests and we happen to come home after midnight, she complains.

If I play music (even at *less than* speaking volume) at night, she complains.

With the exception of walking the floors of my apartment and having sex, this woman complains.

3 times in the last week-or-so: now, given that many Helsingiläinen live in apartment blocks, there are rules and regulations which I’m guessing protect the right of people to, ya know, do stuff in their apartment whenever they please. For me, that time just happens to coincide with the time that there is no light outside.

The first of the 3 events leading up to my getting particularly annoyed by this neighbour, rather than thinking she was just being pedantic, I had a movie on – relatively quietly, I might add.

My understanding is that this sort of thing is counted as “watching TV” under the normal rules – and unlike the first complaint in July from a guy at ~1am asking me to turn the noise down, the movie was at this time well below speaking volume. We were sitting pretty close to the speakers and WE could barely hear it. I think this woman has the ears of a bat.

Anyway, she came up at about 23.30 and asked me to turn the noise down. I replied pretty straightly “no” and closed the door in her face, at which point she threatened to call the police. I told her “do what you want, I’m not doing anything wrong”.

The second of the 3 events was on the Friday just gone – Anna and I had been out to see a couple of Japanese films, and she and 2 of her friends came back to my place to polish off a bottle of vodka. We had music playing *very* softly and very much below speaking volume – when at 2am, the police showed up at my door. She had kept her promise.

Now, normally, I hate cops. This time was no exception. Being slightly drunk I just challenged them by asking things like “can you even hear us in the hallway?” (I know for a fact that they couldn’t because there are 2 big doors in most Finnish apartment blocks for the purpose of noise prevention), and after they told me to “keep it down”, I sent them on their merry way.

After I came back in and told Anna and the 2 friends that the cops had just been there, Anna said to me to run after them – and so the cops were invited in for a friendly chat (in Finnish). Previously that day, I’d written on the back of the official complaint form that I had received from my housing company the things that this lady has done previously – things like… shining torches in to my window to get my attention to turn the noise down – WHEN I WAS SLEEPING and there WAS NO NOISE and accused me of all sorts of things in front of friends and even apprehended me while I was on the phone (long-distance at 1,50€ a MINUTE) to ask me some fairly pointed questions… that sort of thing.

So at the end of it, I asked the police to please file a report and show that we were not actually being unreasonably loud etc so that I would have it in writing to send it to my housing company and file a counter-complaint. They said they would, and that was that.

One of Anna’s friends pointed out that, because the housing company can take the place away from the owner, she could simply be trying to brand me as a troublemaker in order to have it taken away from them, so that she or someone she knows can buy it at well below market value.

Onward to last night (Tuesday). It was about 22:30 and I was watching “King of the Hill” with my headphones on, when all of a sudden my office line had an incoming call. From a Finnish Mobile number. Which I didn’t recognize. So I answered it.

The first sentence was “please turn the noise down” to which my response was “What are you talking about? Who is this?” (I thought at first maybe it was Anna trying to play a trick) – from there the argument quickly heated up from me telling her “I have my headphones on, you can not possibly hear any noise. If you can hear noise, its NOT me, do your bloody research before you go falsely accusing people – if you tell the police I’m making too much noise, I’ll have you done for perjury” (that is, making a false statement) which then led to her accusing me of being a liar and some other things. Whatever.

I’d also like to know how she got that number (not like it’s not public or anything, but still, she must have Google-stalked me or something). *Thats all the stalking that I know of, so far.

I invited her up (she refused to come up), so I told her if she continues harassing me, I’m going to call the police. Of course, as it turns out, after I took my headphones off, I discovered that there was, in fact, noise, however, had she even opened the window, she would have found that the noise was coming from elsewhere and not my place. Hell, if she had even come to my door, she would have heard no more noise than me typing.

So in a slight rage, I grabbed my keys, and flew down the stairs to find the source of the noise. I went around the block, thinking it might have been one of the late-night cafes or a nearby bar or something. Nope, nothing. In fact, I never did find it, however, given that there were 2 young-ish guys hanging around while I paced the yard, who later were standing on a balcony, I suspect it might have been from their place. However, I just don’t know.

Anyway, after I got back to my place, I came in and, upon realizing that this was her third strike, I thought “right, time to deal with this”, and called the police – so it’s official.

Minna Ruckenstein, noted Finnish anthropologist and researcher (yeah, I Googled AND Eniro’d yo’ ass), you have awaken a monster. You chose the wrong guy to cross. Written and electronic evidence is being gathered against you, and you’re going to help me bring you down.

Study *this* human behaviour.

Study *this*.

*edit October 3 – since I called the police, I haven’t heard from her, but that could be a fluke.

Tags: , , , , , , , , , , ,
Comment
Powered by WordPress | Theme: Motion by 85ideas.