Your SlideShare is downloading. ×
0
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
10 major misconceptions and erroneous statements in information security (infosec)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

10 major misconceptions and erroneous statements in information security (infosec)

528

Published on

This is a slide set / summary of an article which was written by Rolf Oppliger and Bruno Wildhaber …

This is a slide set / summary of an article which was written by Rolf Oppliger and Bruno Wildhaber
There are many misconceptions in computer and information security that deceive the view on reality. But to make meaningful security decisions, it is important and key to know and truly understand the misconceptions commonly found in computer and information security. In this article, we outline and discuss the misconceptions we think are most common and influential. We divide the misconceptions into three groups, namely social and behavioral misconceptions, technical misconceptions, and false estimations The aim of the article is to prepare the stage and provide a better understanding for all questions and answers related to computer and information security.

Rolf Oppliger and Bruno Wildhaber are Information Security practitioners with many years of academic and practical experience with private and public organizations. All the misconcep-tions in this article have been encountered many times and in different constellations.

Full article available at AMAZON

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
528
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © Wildhaber Consulting, Zürich 201131 10 major misconceptions and erroneous beliefs about information security (Infosec) Written by: Bruno Wildhaber & Rolf Oppliger Full article available at: http://www.amazon.de/ Misconceptions-Computer-Information-Security- ebook/dp/B006UGHYRK Freitag, 4. Oktober 13
  • 2. © Wildhaber Consulting, Zürich 20113 FACT is 2 All Important Information MUST & CAN be Secured • Organisation don't know their assets • Organisations protect only 5 to 10 % of their data • Only structured information is secured • Unstructured information is not touched and not classified • Organisations. collect data in "digital landfills", instead of managing information information properly • Without proper data identification at the source there is no information security Freitag, 4. Oktober 13
  • 3. © Wildhaber Consulting, Zürich 20113 FACT is 3 The Internet Can Be Secured • The Internet was never meant to be secure(d) • Not even parts of the Internet can be secured • Even a layered security model will not enable sufficient security • There is nothing like "a secure Cloud" • But End2end security is viable Freitag, 4. Oktober 13
  • 4. © Wildhaber Consulting, Zürich 20113 FACT is 4 There Is Not Enough Money For Infosec • InfoSec budgets have increased disproportionately over the last 10 years • IT budgets have been frozen, Security budgets not • Absolute figures: Approx. 80 bil. was spent on InfoSec in 2012 (8% more than 2011) Freitag, 4. Oktober 13
  • 5. © Wildhaber Consulting, Zürich 20113 FACT is 5 InfoSec Certifications (such As ISO27001) Increase Infosec • Implementers and auditors focus on controls, not on the management system • All management systems should be implemented top down, real implementations go vice versa • Only weak organisations get certified • Countless standards lead to de-sensibilization of the organisations • Standards favour inefficient and clumsy organisations • Freitag, 4. Oktober 13
  • 6. © Wildhaber Consulting, Zürich 20113 FACT is 6 IT Risk Can Be Managed • There are no values for 95% percent of all InoSec risk which would allow to calculate the risk • You can only manage what you can measure • Only project risk can be measured • Most actual risk methods are inappropriate, even dangerous because of their credibility • A fool with a tool is still a fool Freitag, 4. Oktober 13
  • 7. © Wildhaber Consulting, Zürich 20113 FACT is 7 The Identification Challenge Is Not Solved • Identity threat is an important issue, because identity has a value • This is a risk based approach: Identification only increases if potential damage of the provider increases significantly (credit card or ATM discussion) • Digital Signatures could be implemented, but nobody wants to carry the cost • Potential risk is to low • The real challenge lies in cross border transactions awareness of users Freitag, 4. Oktober 13
  • 8. © Wildhaber Consulting, Zürich 20113 FACT is 8 Digital Signatures Are Obsolete • Identification has not reached the necessary levels • Threats will increase, thus does demand for better identity management features • Government will be forced to build national identity systems • Trust will be delivered to trusted groups and peers Freitag, 4. Oktober 13
  • 9. © Wildhaber Consulting, Zürich 20113 FACT is 9 There Must Be More Prevention • There is too much prevention • The control/measure triangle is 85% on prevention, 5% on monitoring and 10% on recovery • Reduce prevention but increase monitoring • Focus on important controls (80% - 20%) • Neglect non important risk Freitag, 4. Oktober 13
  • 10. © Wildhaber Consulting, Zürich 20113 FACT is 10 There Is A ROI On Infosec • InfoSec is about Risk management and not about making money • No security measure can produce value • Security can only protect and defend, but not create • Nobody would hire a bodyguard with the intention of creating a business case • ROSI is an insult to the experienced manager Freitag, 4. Oktober 13
  • 11. © Wildhaber Consulting, Zürich 20113 FACT is 11 InfoSec Needs The "Need To Know" Principle • Biggest misconception in commercial InfoSec • Data must flow to release potential, e.g to create value; this is true for 98% of all data • Need to know is only applicable to classified (confidential) information • All other information must flow freely Freitag, 4. Oktober 13
  • 12. © Wildhaber Consulting, Zürich 20113 FACT is 12 Firewalls Are An Appropriate Security Measure • Firewalls have always been an inappropriate measure to re-establish the IT fortress • Firewalls are based on an ancient security approach • Firewalls are an in-house measure, not appropriate for Internet or open network transactions Freitag, 4. Oktober 13
  • 13. © Wildhaber Consulting, Zürich 20113 FACT is 13 End User Devices Can Be Secured • PCs and other devices can neither be secured nor controlled • YOU MUST NOT blame the enduser!!! • Don't whinge about insecure devices.. just take it as a fact! • The end user defines the device he/she wants to use • Business will define the security level • IT must support all devices (support or perish..) • Cloud computing will support business users • Implement end2end security Freitag, 4. Oktober 13
  • 14. © Wildhaber Consulting, Zürich 20113 FACT is Contact Wildhaber Consulting Glatt Tower 8301 Glattzentrum Switzerland www.wildhaber.com Twitter: @brwildhaber Secure Mail: https://secure.csnc.ch/inbox/a4Rb8Fd1bMdcQg NEWS  Information Governance News 14 Freitag, 4. Oktober 13

×