When “Smart” People Make Stupid Security Decisions

Warning: Here’s the deal – I have had a week consisting of four “Mondays” in a row. Bad drivers and stupid people have been working my last nerve, so I gotta vent! This is an angry rant about stupid people. If you are a stupid person and you are easily offended, then you should turn away now. Maybe go play on a porn site for awhile. Either that or get some brains and rational thought, and you can join us for some intelligent conversation.

Here’s why I’m angry - I read an interesting article recently that highlights the folly of allegedly “smart” people who show their information security ignorance and make stupid decisions when they don’t even understand the most fundamental of technologies and reasoning behind information security requirements. Then, when someone with intimate technical knowledge of what the issues are and how to solve them steps in, they are instantly rebuffed when even daring to mention the problems. I have experienced this type of thing my whole working life: I see people go through college, get a degree in underwater basket weaving, then somehow get into the pipeline to become managers. Either that or they drink their way through college, become lawyers or doctors, buy beemers, and act like spoiled children the rest of their lives. I had to laugh when I read the following line in this article:

“The attitude among the legal staff was, ‘This is my computer and my network; you’re just a computer janitor.’”

To give a quick synopsis of the article – there are a bunch of attorneys in a District Attorney’s office (city unknown). These lawyers are the very buffoons behind creating an environment which operates with a wide open network, wide open access to data, and confidential data exposed to anyone on the network (and possibly outside the network) who wanted it. Additionally, there were malware and peer-to-peer applications installed on numerous (most) computers throughout the office. When a network support person in the IT department mentioned the dangers of this existing environment, he/she was presented with numerous roadblocks – arguments from lawyers rationalizing how their activities (mostly music file sharing via Napster) were acceptable. Lawyers, after all, are great at making an argument to support ANY position, no matter how lame or morally wrong it may be. It appears from this article that they expended great energy to make their attitude toward information security seem justifiable instead of facing the fact that they were putting their network and data at grave risk. Essentially, non-technical people were allowed to dictate the standards for technical systems, and all because they didn’t want to be inconvenienced and have their toys taken away. The network support person was later fired for being insubordinate to his/her “betters.” In other words – he/she told these cry babies how it is, what it would take to fix it, and they didn’t like it. Need I remind you – this was allegedly a District Attorney’s Office. I sure wouldn’t want to be that District Attorney when the network gets breached, the data gets stolen, and even ends up getting distributed though the peer to peer sharing network. Notice that I didn’t say “if,” I said “when” because it is going to happen unless they fix it and fix it quick, fast, and in a hurry. What a story that would be in the national news! Of course it wouldn’t be the first time a top lawyer was found to be criminally negligent of something, now would it?

That is why this article seemed to call out to me because I hear of and even see the same thing everyday. The attitude that:

“Your computer security mumbo-jumbo is fine for everyone else, but don’t you dare inconvenience ME!”

It’s all about “ME” and it’s all about the fact that these people are so very important that inconveniencing them would be the most heinous crime committed against humanity.

And this “ME” attitude is coming from people with master’s degrees, doctorates, professional status, and high power positions. Seems the richer they are, the more spoiled and whiny they are. The lawyers in this article are perfect examples. But not only are these types of people complaining about security that keeps them from playing with their toys on the corporate network, some managers these days are complaining about security measures that are revealing large numbers of vulnerabilities and security problems. It’s not even that there are problems that need to be fixed – it is that the numbers are making them look bad. It’s all about the numbers, and it’s all about looking bad. No thought is given to the fact that they look bad because they ARE bad. If they want to look good, then why not just fix the underlying problems? Is that so hard?

(This is the part where I rant about the bad drivers) This is the same population of people, no doubt, who are claiming the roadways as their own as they carelessly drive their beemers with no regard for others. While keeping a cell phone glued to their heads, they are then complaining that the speed limits and laws of common sense are keeping them from totally owning the road for themselves. In fact just today, one of these morons couldn’t find a parking spot at our building, so they parked their car in the motorcycle parking – how stupid is that? Justice was served – the campus police slapped a parking ticket right on that Mitsubishi. Hope the laziness was worth it. (Bad driver rant completed).

In many cases, it all comes down to this:

“Your security reports are making me look bad, so my management is giving me heat and withholding my budget until I fix the problems. So why don’t you come up with a way to make me not look so bad?”

They will try to rationalize how the data needs to be collected a different way so that the numbers (of problems) look better. My answer to that: Rather than waste so much time and energy trying to manipulate numbers to make you look good, why not just fix the problems and it will make you be good – for real! Manipulating numbers and hiding vulnerability problems is one way to make it looked fixed, but taking real action will actually fix it. But, as one of my graduate professors often said: “Figures don’t lie, but a liar sure figures.”

Another clever issue evasion strategy: the smoke screen. When faced with data that clearly shows that their area has problems, the management will ask irrelevant questions and demand explanations in order to throw off or divert effort. They have no idea what they are asking in many cases, and often look like jack asses because their questions show their glaring ignorance of information security concepts. These activities will often tie up security professionals for days while they make every effort to ensure that they are explaining the justification for valid and relevant security measures. Security people shouldn’t have to do this – it is a waste of time and keeps them from the business of keeping networks secure. Security professionals shouldn’t have to agonize how to explain something so simple to allegedly intelligent people. This is more like explaining to your small kids why they can’t run down the hall with scissors.

But time after time, these people want to send us off to find an answer that will appeal to their twisted sense of logic. It may not be the right answer, and it may not be the one that is actually going to solve the problems. This is what an acquaintance of mine refers to as a “find me a rock” exercise. Someone will tell you to go find a rock, and when you bring one back, they say: “No! That isn’t the kind of rock I wanted! Go find me another one.” These types of senseless tactics are meant to waste other people’s time and buy the stupid people some time to think up another excuse. And these people are making decisions! Wow – no wonder so many companies are in trouble.

OK – so let’s bite the bullet and see what it will take to do something about this. In the case of the lawyers in the story above, or even the situations I have described here, it is going to take some work - a lot of work - up front. It is going to take a huge amount of effort and many staff hours in the beginning. But the interesting thing I have found is that if a methodical plan is put into place, and some reasonable time given to remediate the problems, they will eventually get fixed or at least minimized to a tolerable level. If some well-spent time is dedicated up front toward attacking the problems, then the rest of the effort simply becomes a continual maintenance routine. If there are a lot of security problems, it is a matter of prioritizing them in order of severity, tackling the most serious first, cleaning up the rest, then putting a plan in place to keep them under control.

New security issues will always come up as new attacks are discovered, and patches from vendors are released. But if the bulk of the serious issues are already taken care of, then tackling these new issues will be a fairly simple exercise.

But in order for any of this to work, people’s attitudes toward information security have got to change. IT people are not janitors, the computers and network that people in the work place are using do NOT belong to the workers, and these are not toys simply put in place for their enjoyment. Being negligent about information security can get people in trouble – big trouble. So before a plan is put in place to tackle the technical issues, perhaps a plan should be put in place to teach security awareness. Teach people why security is so important, how to be secure, and how they will be held accountable for non-compliance. The touchy feely attitudes have got to give way to terminating buffoons who refuse to comply. If you were a CEO, and your employees continually put your company’s finances, data and reputation at risk, just how long would you put up with it?

My closing Thoughts:

Computer Janitor – indeed! My last tax return I reported income from salaries and earned military pensions in the $$$,$$$ range (six figures for you folks who didn’t get it). Many of my colleagues are pulling down similar salaries, and they are so far from being janitors – to make a statement such as that, or even think such a thing is just so wrong. I don’t know too many janitors who make that much money and have post-graduate educations. But I see all too many instances where otherwise smart, educated people feel and behave just that way – they feel that the equipment and resources that they use on the job don’t belong to anyone but them, and that the IT people are just there to help them when they can’t figure out how to copy a document from one folder to another, or their mouse isn’t doing the little “clicky” thing like it should. Heaven help anyone who should inconvenience these poor babies by telling them that they can’t run Napster un-abated on the corporate wire. Give me a break! Maybe there is a lot of validity to Nick Burns’ (Saturday Night Live) attitude toward users. Automatic drink holder giving you problems today?

Ooops – gotta run. Time to get out the Swiffer and get after those viruses. And by the way… You’re Welcome!!!

Reference: “When Lawyers Use Napster At Work” (Anonymous, InfoWorld, 2/27/07)

• What do you call 350 lawyers resting at the bottom of the sea? A good start!

• Stupid people – you can’t live with them, and there are only so many of them that you can cut up and stick in an ice chest.

• Hey – my rat terrier is smarter than your CEO.

• Hey you in the beemer – hang up and drive!

• There is en epidemic in America - Fools! (Mr. T)