Two separate things I wanted to write about in here today.

Firstly was the article from Infoworld on a Cyber-Ark study into IT employees gaining unauthorised access to company systems. (Thanks Martin for the link to the article). Even though most security people will be open about their concerns of the insider threat, the “nice-guy” in me was still surprised to see the results of the study finding that:

one in three of the roughly 200 IT employees participating in the study admitted to somehow gaining unauthorized access to company systems for the purpose of reading sensitive materials.

And this was from an Information Security event!

Naturally you have to take these sorts of survey results with a grain of salt. So I jumped over to the news release to have more of a look and found even more findings of a “well I knew it was bad but didn’t realise it was that bad” nature:

more than half of people still keep their passwords on a Post-It note, in spite of all the education and reminders to do differently.

This included Administrative level credentials.

These sorts of security problems do make me remember all the hours I spent at university working on technical solutions to this sort of problem (nothing has changed in 3+ years people), and it becomes so apparent, not that it wasn’t already, that this problem has deeper roots than technology, people and policies. There might never be a perfect fix to this problem.

The second thing I wanted to mention was that NIST just released a Draft of the their Guidelines on Securing Public Webservers and after a quick skim read I was quite pleased with it. In particular the section on “Recovering from a Security Compromise”. I know that so many people out there are fantastic at configuring servers and web applications, but you compare that with the number of people who could successfully recover from a security compromise and gather useful forensic evidence and you would be greatly surprised.