The enemy within

WALT KELLY’S Pogo the Possum is a classic comic strip, and Kelly’s greatest contribution to the language may well be the immortal line, “We have met the enemy and he is us.” I find it hard to dispute that point, particularly as it applies to IT folk and the way many of us approach security.

Unfortunately, too many of us view security as a necessary evil. We complain about users who scribble passwords on Post-it Notes that are stuck to monitors, in plain view of anyone who cares to visit our veal-fattening pens (or cubicles, if you insist on being polite). Then we turn around and use lightweight passwords ourselves, use the same password on different systems, and break every other rule of computer security — even when we know better.

I put myself at the head of that category. After all, I used to be an IT manager, I cover security, and I preach on the subject weekly. So, you’d think that the systems I manage at home, in the InfoWorld Test Center lab, and for friends and family are all tougher to get into than Fort Knox. Well, as I mentioned a few weeks ago in connection with one of many mail servers I run, nobody — starting again with me — is perfect(see ” Processing onward “).

This time, my confession isn’t driven by a recent discovery that someone’s suborned my systems. However, it wouldn’t surprise me to find out that one box or another has been rooted; I might be embarrassed for a day or two, but I figure it goes with the territory.

After all, even the boxes in my relatively simple lab represent a complex environment. Just keeping up with patches is a chore. Trying to figure out why this server or that server won’t accept one patch or another is often pure guesswork, and this happens more frequently than it should, even when the box in question is running 100 percent Microsoft products. (Hmm … “Maybe that’s part of the problem,” he said cynically.)

The issue of “the enemy within” crossed my radar Halloween week, when The Register picked up — and printed in practically verbatim form (naughty, naughty) — a press release from Defcom Information Security, a British consulting shop. The release indicated that 58 percent of surveyed senior IT managers believe their own IT staff present the greatest challenge to securing systems, and 67 percent considered the complexity of today’s security threats enough to overwhelm the skill sets of their techies.

Granted, Defcom’s data comes from interviewing a whopping 20 individuals, but I reckon many of you could — and will, I hope — share your own horror stories. Also, before you whip out your slide rules, I know the math doesn’t add up, so please don’t remind me of my own mathematical shortcomings.

Although Defcom’s numbers may not be worth repeating, the sentiment is unmistakable: IT itself is the weakest security link. The solution is to improve the skills of IT staff, but that’s easier said than done, as I will discuss next week.