The good, the bad... the annoying

As usual, SC Magazine's readership survey has been most revealing, giving a fascinating insight into the mood and daily lives of our readers, and many of their quotes are show below.

Our opening questions ask readers to nominate their biggest problems in the past and future. Many still struggle with the stupidity of end-users (or, more diplomatically, their lack of security awareness), while others say it is the timely patching of vulnerabilities.

One respondent blamed all his problems on Oracle; several saw Microsoft as the main source of their woes.

Another reader from the US military summed it up as "hostile management". Many others complained that the work involved in achieving regulatory compliance would really do little to improve security.

Question 4 asked people whether they were optimistic about the future of IT security. While many in the private sector said they were hopeful that things were improving, readers in the public sector (both in the US and Europe) were almost unanimous in their view that lack of funds will damage security.

Where they differ is on budgets. Most private sector readers expect them to rise, albeit not spectacularly. The public sector professionals have no such hopes.

It is a point that our politicians should take account of, given the importance of our profession.

We also asked readers to say whether any tool or technology had helped them in 2005. Many mentioned spam filters and general email management tools, but no product stood out as a favourite.

Here is a selection of the responses, which reflect the survey's general mood.

Many thanks to all of you who replied.

Q1 From an information security viewpoint, what was your biggest problem during 2005?

"The use of outsourced programming and manufacturing companies. How to share data etc. securely."

"Spyware. Not so much the leakage of confidential data as the theft of resources – user complaints of strange problems and lost productivity; the staff time to investigate; the increased number of systems to be imaged and re-imaged."

"My IT security manager not reviewing the commercial realities of a proposal before making it – that is, security staff getting tied up in the mechanics and hysteria without paying enough attention to the needs. The old ROI chestnut."

"Secure management of multiple PINs and passwords for multiple uses (work, banking and other internet accounts)."

"Patch management. We don't have the resources to regression test all our systems and applications in response to three or so "critical" MS/Oracle/Veritas updates every month. Consequently, we've been burned when Microsoft patches interfered with production systems."

"Spyware. More specifically, keystroke loggers that get installed via ActiveX controls on websites. Some of these are installing themselves in a way where they don't show up via task manager or the tasklist command, but we know they are there because we see the traffic."

"Incident response. Developing an incident response capacity in-house or to outsource is the hardest decision we have had to make and we are still evaluating the options."

"Probably from a technical point of view, trying to maintain patches across 6,000 desktops is verging on the futile. From a non-technical point of view, it's maintaining and promoting policy to 11,000 employees, whose abilities and access to IT facilities will vary hugely."

"Data sticks"

"Spam mail has increased dramatically. Spyware is also becoming a major problem, legitimate organisations might use it to "benefit" our web experience, but this has been a major headache."

"Clueless users, with executives and sales staff being the worst."

"In the medical environment, nurses and physicians bypassing security for the sake of convenience. Even after HIPAA training, we were aware of the simplistic nature of passwords, in part due not to having complexity for password setting turned on the Microsoft network."

Q2 Where do you see the greatest problems coming from in 2006?

"Data stewardship. Specifically, obtaining data owners for data panels used by multiple groups."

"Malware/spyware for hire is now the number one problem, and will be the biggest threat in 2006. As soon as vulnerabilities are found, they are exploited. The cracker community has outpaced the security industry, and the IT manufacturers patch when and how it is in their best interests to do it."

"Windows-based rootkits can hide themselves from detection of the OS. RSS, while it is a very cool and useful tool, can eat up all your bandwidth if you let end users configure how often the feeds get polled. People all want information and they want it now."

"It has always been user training and helping senior managers understand, or even be interested in, infosec. Over the past 24 months, we've invested in AV, anti-spam, anti-spyware, and IDS/IPS. If some new security threat requires further investment to establish countermeasures, getting budget will be difficult. Unless we keep "drip-dripping" with policy, people will become complacent."

"Deperimeterisation. I am being asked for all nature of connections to our network, from PDAs and USB drives to wireless GPRS devices."

"An increase in the number of botnets. As large criminal organisations invest in this activity, the number and complexity of these attacks will probably increase. Spyware will also be a major problem. As long as large organisations legitimise its use, for whatever reasons, it will become a major issue for network traffic."

Q3 On balance, are you optimistic in the battle for security? Or are we struggling to keep up?

"The battle for security is unwinnable. Only an uneasy equilibrium is possible between malware authors and network admins. As always, the defenders must win every battle while the attackers need only one victory to achieve their goal. But this might be a good thing. Just as when an infant gets mildly ill, the exposure helps them build a stronger immune system to fight more serious illnesses later on, so IT systems and networks also seem to need regular minor security incidents to force the deployment of better defences and spur improved software development."

"Optimistic, although Microsoft seems to keep the same level of fault/product ratio that it's always had, which isn't particularly helpful."

"I'm public sector. The resources we need most are worthwhile staff, which the system militates against. More government money doesn't mean more of the right resources, just more waste."

"I'm not optimistic. The bad guys are getting cleverer and we have to continue to support people who hold technology in such esteem that it can do no wrong. We need perfect technology to remove human failure before we can consider we're winning the battle. But it doesn't exist, and so we're always going to get 'human firewall' failures."

"We are struggling to keep up. Most designers are still not designing security into their applications, whether at the requirements or software implementation level. Removing all uncounted string operations (gets, strcat, and so on) from the C language would be a big step forward, but nobody has the courage to do it because 'it would break existing programs'. Any program that uses any of these calls is already broken. Equally, at the requirements level, people simply don't think of security when assessing the business case for a new application. If security is tacked on afterwards, it tends to be inadequate or get in the way of people trying to do their jobs. Many British government systems seem to experience problems in this area."

"Optimism has no place in the security market space by its very nature. My advice is NEVER hire an optimistic security expert. Optimists should work in marketing not security."

"My systems are heavily protected, Posix based, and connect on demand, so they are not under any immediate threat. The biggest part of the threat is the general public, who have no clue about maintenance, security, or lowered bandwidth. That being as it is, security will always be an uphill battle, as zombie machines by the score will be an available tool. Furthermore, with governments that are generally clueless about the realities of computing and security, there is little hope for any kind of help from that end."

"It is a constant struggle and Microsoft fails to make it simpler for the small or medium-sized enterprise."

Q4 Are new regulations and legislation helping you to do your job, or are they making it more difficult? Have they resulted in you getting more resources?

"They're making our job a lot harder. An entire industry has grown up around compliance, staffed by misinformed people who don't understand IT and spread fear, uncertainty and doubt in their quest for large consulting fees or to justify their own positions. We have received more resources in the form of a single staff member whose job is just to deal with regulatory issues and keep the Chicken Littles at bay. Five years ago, however, we didn't need an employee like that."

"It was difficult enough deciphering the legislation and finding a sensible synopsis. It was even more difficult getting buy-in from the board. But no further resources have been released for information security – even as a consequence of the above."

"These guidelines are the only thing that keeps the users from completely screwing up the system"

"New regulations and legislation have created more work, but it is 'grudge work'. Money people do not see an ROI from it."

"Yes, they are helping to highlight the need for security and getting some security measures in place. However, they are also hurting security, because they go too far (and/or the outside auditors push them too far) in requiring more security processes that do not add any real value to the business or to the overall security goals. As a result, businesses are tagging some worthwhile security efforts with the 'more stupid bureaucracy' label."

"Legislation is helping to identify areas that may not have been looked at from an IT point of view - archiving, retention and encryption have certainly been brought to the forefront. However, much of the legislation is contradictory and very difficult to implement. Much of the information has been directed to IT providers when in effect much of the legislation affects HR and the organisation as a whole."

"I think that Sarbanes-Oxley, GLBA, and similar legislation and guidelines have succeeded in focusing management's attention more towards security because they have been forced to do so. Unfortunately, it sometimes creates the expectation that if it isn't required for compliance with a piece of legislation, it doesn't matter even if it is a good security practice."