Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Why Don't IT Generalists Understand Security?


Why doesn't the rest of the IT department understand what encryption and passwords can and can't do? And does it matter?

Comment  | 
Print  | 
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
Sara Peters
Sara Peters,
User Rank: Author
10/9/2014 | 12:16:32 PM
Re: IT Security
@anon  Now, this is interesting. You say "I'm in the camp that believes security specialists should be separate from general IT and risk management." Can you explain a little further? Do you think that the security department should be completely outside the IT department? Should physical security and infosecurity work together? Also, I tend to think that security people need to be more focused on risk management, and thought that maybe they should be part of the same department. I'm guessing you disagree? 
Sara Peters
Sara Peters,
User Rank: Author
10/9/2014 | 12:32:37 PM
Re: IT vs. InfoSec
@KillerB  Nice analogy. So ultimately, security will always lag behind convenience. The more we want to do with our computing systems and data, the more secure we'll need to be, and it will just be a never-ending journey.

Let me ask you this, then. Are we best off letting IT generalists do all their blue-sky stuff without security in mind, and then cleaning up afterwards? Keeping those responsibilities separate? Or would we be better off getting everyone working together sooner?
User Rank: Apprentice
10/9/2014 | 12:45:14 PM
Re: IT professionals
I think I disagree, unless you agree with this point. You have to define, "Ins and outs." No, I do not think every IT Profesional needs to understand I depth HOW the encryption works, however they should understand which implementations work best for the desired protection. Full disk, for example, to protect data on computer where the users are logged off or the machine is off. Shared key or PKI for protection of data during transmission. And so on. They should have enough knowledge to suggest an applicable solution.
User Rank: Moderator
10/9/2014 | 12:57:20 PM
IT vs Security
This is an interesting discussion question. Many times, those in IT don't understand Security because they simply don't want to. Often times, companies do not have the ability to have an entire Security department so it falls to the IT people to fix it.

But having been on both sides of the table, I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything. That's the biggest difference between the two. Security folks have to know everything about networking and how to fix things, on top of how to secure it all. That's why many degree programs that used to combine Security and Networking have split into two different competencies at the University level. That's why Universities like Capella offer an Information Assurance and Security Master's Degree with the specialization in Network Defense or in Forensics.

General IT programs teach IT folks how to fix things from the inside out of a computer. They have a basic understanding of networking and they know how to fix a bunch of stuff. Put them in front of a firewall and tell them to configure VLANS and Rules to let traffic flow through and they freeze because that's not something they are familiar with.

However, give that same task to someone who is specialized in Security and they will ask you "How segmented do you want the VLANs to be? What ports do you want traffic to flow through?" That kind of thing. They are specialized for a reason.

As for the media...while I do appreciate a good media story now and again, often times the media will emphasize the wrong thing and not get the real message across. For example with the JP Morgan Chase breach, it's been said that it's not a concern to the company, which is not the case. Chase is very concerned about the fact they were breached and they are doing what they can to mitigate the situation. Whether that's the fault of the media or the editors, I haven't really figured that out yet.
User Rank: Ninja
10/9/2014 | 1:53:49 PM
Re: IT vs Security
"I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything."

To that I disagree, and here is my reasoning. In my opinion an "IT Gerneralist" is not really IT, they're someone whose interests are geared more toward business interests, getting the project in on time or project managers. Someone only interested until the system\project is handed of to IT professionals who must adminster and maintain what they've been handed. Ask any person whose made their living in IT working with systems or the core infrastructure of how your companies IT environment is configured. When a generalist needs something done they go to the specific IT personell that can accodate their needs whether that be, admin, application, database support or something at a higher level. Also, I believe that the BEST security folks come from the ranks of IT professionals like SYSADMIN and network engineers.

Security professionals, while "laser focused", must know alot more than just the security side of things and that said there are so many different areas of security I can understand why people would think it's that simple. OK, now putting aside the argument of whether the CISSP certification is worth it, I believe that it is, others don't. Putting that aside, I've listed below the ISC2 10 Domains of Information Security, I've had my cert for over 10 years now, and I have to tell you that my laser cannot focus on all of that... there's no way and anyone who says that they are is lying to you. Like any other other profession with multiple levels and concentrations you find your niche and resources.

What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process.

I would invite anyone in my company to come walk a day in my "security shoes"... user awareness... phishing emails... CRYPTOLOCKER... CRYPTOVAULT... other assorted malware... firewall rulesets... PCI... HIPAA... SOX...Penetration Testing... compliance configurations... vulnerability scanning and reporting... explaining why any vulnerability on any Internet facing device should not go unresolved regardless how minimal... C-Level people who want non-expiring passwords (yeah), web filtering... user access management and my very favorite thing to do, knife fight with DBA over database security for MSSQL vs Oracle.

Thanks, I've said enough and I hope I haven't made too many folks upset.


ISC2 10 Domains of Information Security
1. Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
2. Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
3. Information Security Governance and Risk Management – the identification of an organization's information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
4. Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
5. Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
6. Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
7. Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
8. Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
9. Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
10. Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise's resources and sensitive information.

User Rank: Strategist
10/9/2014 | 2:15:21 PM
Re: IT vs. InfoSec
@ Sara Peters Yes it will be a never ending journey, until the journey ends. Some businesses will have a longer journey than others. The length of the journey will be directly correlated to the business' understanding of the cost of a security failure. The failure does not have to be the theft of data, but could be just a takedown. Take Code Spaces for instance, their failure was due to a poor understanding of their security exposure. Because of this they succumbed to a takedown. Their data was not stolen, their house was burned down. It would be interesting to know the ripple effect, what other businesses where impacted and to what degree because their data was lost.

To your questions. No more security as a bolt on. It will take time, but security must be included in the design/planning phase of projects. However, this will come with culture change in the organization and also at the college level. If security is include up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up. They cannot be separate, they must work together. IT and InfoSec are two different disciplines, not responsibilities that using the same platform. IT does the moving and storage, InfoSec does the valuation and protection of what was moved and stored.

Another analogy. IT/InfoSec are like man and woman. Each has a specific roles, disciplines and skill sets. But left to themselves they will not alone propagate the human race. They must come together, do a little dance (you know the rest) and keep things moving forward.

One last thing. Money plays a big role in this as well. Money is the great equalizer; you pay for something that has value. If it does not cost something, you should question its value. Open source, free ware, whatever you want to call it should give you pause. If your data has value to you, you should protect it from theft or getting burned down. If the owner/board of directors doesn't understand this, then you have a culture problem and are a Code Spaces waiting to happen. If the boss gets it, but the IT team doesn't, then you have options, find a new IT team.
User Rank: Author
10/9/2014 | 4:20:31 PM
Its probably a lack of understanding into exactly the challenges posed by information security. I believe most IT people consider information security folks to be the goalies. Its their job to provide a barrier. In IT's mind that just means more hardware, which is a subset of IT's world. 

Good IT people are more focused on operational efficiency, capacity planning and making improvements across the board. Outsourcing IT and cloud solutions has increased IT's visibility and given them a seat at the executive table as they're now key revenue drivers.

Info Sec is a different animal altogether. They have all the above are concerns, but they also lack influence. IT security is a cost and a drag on the bottom line. 

That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room. However, that's going to change.

The key now is to have people who can translate info sec needs into language that not only IT can understand but also executives. Most executives are risk averse, they just need to understand the risks.
User Rank: Apprentice
10/9/2014 | 5:25:55 PM
There's no middle ground
I put a lot of the blame on the security people building a moat around their castle.

I'm a software person but by studying for (and actually testing for) an appropriate certification I can 1) learn a lot, 2) learn the common language I need in order to talk to my peers, and 3) get a credential that will tell my peer's boss to give me a chance. I'm not asking for free reign just because I have a stupid cert, I just want a seat at the table to express my concerns instead of being treated like an idiot later by people who might know less about their subject than me.

Unfortunately security has gone the other way. I can pass exams but, except for CompTIA, I can't get certs because they all require extensive job experience where your only job is security. That means it's a lot harder for me (and others like me) to act as a bridge between development and security teams, it means I have a harder time advocating for little things that will improve security, etc. There's no way to distinguish myself from a guy who read a few DZone papers and is now convinced he has all of the answers.

Sure, some people know what "Associate of ISC2" means, but few will care since infosec isn't my job. It's even worse with CEH - you can make a strong argument that at least one person on every user-facing team should be a CEH but nobody can get it if they're developers, not infosec.

The flip side is also an issue. Since infosec people are expected to focus on infosec they never develop the breadth of experience that will allow them to easily communicate with their non-sec peers. So instead of being involved in early design (or even architectural) meetings and discussing their concerns in a way that the developers, DBAs and sysadmins understand they come in later with decrees that often make no sense from our perspective and then wonder why there's anger.
User Rank: Ninja
10/10/2014 | 7:18:09 AM
security starts with software control
the common thread in all this hacking is : malware

malware is un-authorized software

the key to security then is controlling the software.    and you can only do that by starting in the os -- and that is where the real trouble is.    and only the os oem can fix it.    you cannot fix it by tacking on patches.

data encryption and secure passwords are easy to use -- but useless if your system is compromised with unauthorized programming.
User Rank: Ninja
10/10/2014 | 9:50:49 AM
Re: IT vs Security
@ODA155 "What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process."

That hits the nail right on the head, as the saying goes. When it comes right down to it, most IT security issues boil down to design flaws or weaknesses, whether it be in software, hardware, or architecture. In over 20 years of IT experience including software development, desktop standardization, server infrastructures, network engineering, business analysis, security, and management, I have seen IT groups focus almost exclusively on the design and delivery of technology without bothering with the security aspects of their solution. And yes, too many times security is brought in as an afterthought. There are tremendous pressures on IT to deliver technology that enable business processes, and if security and IT are on a linear reporting structure, security will almost always lose, and securing the technology will be a catch up game at best. Needless to say, there is also a communications gap between IT and security. As you know, ISC² maintains that soft skills, along with the 10 domains, are vitally important to a security professional. Security folks must communicate their security goals properly and effectively, to ensure that security is involved at the design stage of any IT technology project. At the same time, IT must also listen to security, and together, they should collaborate as a team to deliver secure solutions that enable business processes to function efficiently through the use of technology. I also teach InfoSec, and I drive that point home to my students; in fact, I always recommend to them books on effective business writing, communications, and teamwork and leadership skills. It is well known that soft skills rank very high on the "wish list" for security job openings, sometimes even rating higher than actual technical skills, especially at the management level. Incidentally, I agree that the CISSP certification is valuable (or else I would not have gotten it). At the very least, it shows that an individual not only possesses broad knowledge in security, but also has practical experience in the application and deployment of secure practices.
<<   <   Page 2 / 4   >   >>
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-27
A potential DOM-based Cross Site Scripting security vulnerability has been identified in HPE StoreOnce. The vulnerability could be remotely exploited to cause an elevation of privilege leading to partial impact to confidentiality, availability, and integrity. HPE has made the following software upda...
PUBLISHED: 2021-09-27
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions &lt;= 2.0.5) makes it possible for attackers to update settings.
PUBLISHED: 2021-09-27
Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.
PUBLISHED: 2021-09-27
The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.
PUBLISHED: 2021-09-27
The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client. This could allow for potential privilege escalation if a link was created between the user writable direct...