By Jason Wittick • July 5, 2016

How to Fail at InfoSec



With the ever-present and growing number of cyber criminals, hackers, data-breaches and electronic scams described by mainstream media on an almost daily basis, it’s clear that information and data have become two of the most valuable targets for thieves.

Despite best practices, security standards, and a near constant chorus of experts suggesting greater vigilance, most of the actual threat to Information Security continues to come from users, bad habits and complacency. New policies and procedure can be drafted, reviewed, and approved ... but unless they are both applicable and properly enforced, users will tend to naturally revert back to previous behaviours.

Let’s take a look at some of the best ways to really fail at Information Security in spectacular but realistic fashion … and remember that despite best intentions, many of the following things actually happen at least once, somewhere, every day:

 Failing on Policy

  • Create a security policy just to satisfy a checklist or requirement
  • Design impossible or unrealistic security policies
  • Hire an ignorant or inexperienced person to write security policy
  • Translate policy into different languages without consistent meaning
  • Deploy and enforce policy which has not been officially approved
  • Assume that:
    • Users will read policy simply because they were asked to
    • Policy does not apply to executives
    • Policy that worked last year will be fine without review

 Failing at Compliance

  • Ignore requirements and guidelines
  • Prematurely insist on adopting a framework that is too strong or too strict
  • Blindly follow compliance requirements without creating overall security architecture
  • Assume that:
    • Being compliant means your data is secure
    • You can hide from or avoid auditors and assessors

 Failing with Tools

  • Purchase security tools without thinking about implementation and maintenance cost
  • Deploy a security tool without first tuning customizing, or configuring it
  • Tune intrusion detection system alerts to be too noisy, or too quiet
  • Do not monitor anti-virus, intrusion detection or other security tools or systems
  • Use security technology without understanding how it works
  • Do not acknowledge, remediate or respond to vulnerability scan results
  • Assume that:
    • A single tier of firewall or anti-virus products will protect you on their own
    • Expensive tools are superior or necessary simply because they cost more

 Failing at Risk Management

  • Apply the same security profile to everything, regardless of risk profile
  • Do not provide a person who manages risk with any power to make decisions
  • Obsess over an asset’s value without thinking about exposure factor
  • Classify all data as ‘top secret’ to make it more secure
  • Assume that:
    • Your company is too small or insignificant to worry about information security
    • You must be secure because you haven’t been recently compromised

 Failing with Security Practices

  • Do not review system, application or security logs. Ever.
  • Truncate or delete logs because they grow too long and unwieldy to read
  • Secure infrastructure so tightly it becomes difficult for employees to do their job
  • Impose new security requirements suddenly, without training or necessary tools
  • Prohibit using external USB drives while allowing unrestricted outbound internet access
  • Do not define a demilitarized zone for Internet-accessible servers and components
  • Hire security personnel because they have many, many certifications
  • Segregate employees, their roles and their responsibilities into ‘siloes’
  • Never cross-train IT and security personnel. Ever.
  • Only worry about preventative or protection mechanisms; ignore detective controls
  • Assume that:
    • Patch management is working well without actually checking
    • Users will naturally choose to forego convenience for the sake of security

 Failing with Passwords

  • Require that users change passwords and credentials too frequently or not often enough
  • Deploy strict password requirements without considering how easy it is to reset them
  • Impose cryptic, confusing or overly complex password construction requirements
  • Do not use different passwords on systems that differ in risk exposure or data criticality


Are you failing at Information Security?

 Tell Me More