Are Security Efforts Misplaced?
Warning... this is a bit of a disjointed rant!
I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".
This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.
However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?
I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.
So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.
If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.