Home > IT, Security > Are Security Efforts Misplaced?

Are Security Efforts Misplaced?

January 11th, 2011 Leave a comment Go to comments

Warning... this is a bit of a disjointed rant!

I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".

This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.

However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?

I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.

So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.

If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.

Categories: IT, Security Tags:
  1. January 16th, 2011 at 07:50 | #1

    Also there is something else strange here: switch – layer 2, IP – layer 3. So unless we are talking about managed switches here, the statement doesn’t make sense on a whole new level…

  2. JS
    July 27th, 2011 at 07:08 | #2

    Maybe he got labeling network equipment with IPs confused with labeling computers with usernames/passwords? Was the WEP incident was pre-WPA? Maybe the card didn’t support WPA/WPA2? The article is new but you might be recalling a (way) past event?

    Maybe he’s just ultra paranoid – which would be a good thing. Playing the advocate here.

    To answer the question, no, I don’t think efforts are misplaced. As with any industry there are people trying to fake it until they make it. Especially the ones that are cutting-edge and still evolving.

  3. PM
    April 5th, 2012 at 00:07 | #3

    Unlike most people who may be reading this blog, I am what you may consider a n00b, newbie, etc to security and frankly despite the repeated blogs, rants, etc on how everyone should be practicing and implementing security especially those new to the field, there isn’t a concise resource that someone like me can approach. For example. I am learning how to set up a *nix box however all resources I have been able to find assume presumed knowledge on my level of understanding permissions, etc. Granted you won’t have a single resource covering everything BUT would be sensible to have links or directions on where I can read more about a topic I don’t know about. Secondly no one to date despite repeated requests to be a mentor is willing to take me under their wing so now if I go out into the real deploy a server for a friend to start with, I have no way of knowing what I have done is appropriate or whether it lives up to the desired security standards. I am not against learning, what I have a problem with is that many people don’t want to put the money where their mouth us i.e. if I request you to be a mentor, why not rather than saying I have to learn everything on my own….

  1. January 11th, 2011 at 03:12 | #1