Sunday, April 08, 2007

Closure on Security vs Security: We Like to Break [Stupid?] Rules!

If you remember, I set up this poll on which security measures are most commonly violated by security professionals. Here are the results so far:

Have you, a security professional, ever willingly circumvented a security measure?

Surfed to a blocked site, bypassing a content filter (22%)

Violated whatever physical security measure (18%)

Used a web-based email against the policy (16%)

Sent a document to home address against the policy (16%)

Used IM or IRC against the policy (14%)

Other - please comment on the blog (7%)

I NEVER did anything of that sort (3%)

So, what is here to conclude? Security people are people too. And, I said in the past, security issues are here not because of bad TCP/IP stack or buggy Windows, they are here because people are, well, people.

Think about it (but not for too long - your head might spin ... :-)): if you need to do you job (i.e. security) and a security measure (which you might or might not think of as "stupid" beforehand) stands between you and you doing your job, would you break it? I suspect that my little unscientific survey answers it: "hell yeah!" :-)

Now, can you now blame your users for doing the same? I dunno :-)


Anonymous said...

It's bad form and it sets a bad example when security people break the rules they put in place. It's like the police breaking the law. If you have "stupid" rules, fix the rules or ammend them to include exemptions.

Anton Chuvakin said...

Indeed! I won't say I am on the side of those who would break the rule that they consider "stupid" (it is a veeeeeeeeeery slippery slope indeed), but, at the same time, I knew of more than one perfectly ethical CISSP-ethics-code-enabled :-) security pros bypassing a web filter since they needed to check an article off SecurityFocus ....

My blog post doesn't give the answer - it raises a question!

Dr Anton Chuvakin