Comments on: Intentional Security Blindness http://www.bloginfosec.com/2008/04/29/intentional-security-blindness/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Anish http://www.bloginfosec.com/2008/04/29/intentional-security-blindness/comment-page-1/#comment-4536 Anish Wed, 30 Apr 2008 09:43:23 +0000 http://www.bloginfosec.com/2008/04/29/intentional-security-blindness/#comment-4536 I agree with you on the point that "Higher Ups" do put security at stake, I have seen that in small companies where they have ACL's , audits happening every 3 months, they follow the principal of least privilege but when these things are happening by default every net work share needs to have a user who is the CEO of the company and the single point of failure happens when he looses his Password / Laptop. No matter what the Network Share is or what server it is, it can be Payroll, it can be HR, it can be IT stuff the CEO has to be added... And yes u cannot blame him if he changed some figures in your Excel Sheet and he wont even bother to drop u an email regarding the modification. Why do the Higher Ups do it ? Sometimes just for the sake of showing Power and sometimes to prove their stupidity. Anish I agree with you on the point that “Higher Ups” do put security at stake, I have seen that in small companies where they have ACL’s , audits happening every 3 months, they follow the principal of least privilege but when these things are happening by default every net work share needs to have a user who is the CEO of the company and the single point of failure happens when he looses his Password / Laptop.

No matter what the Network Share is or what server it is, it can be Payroll, it can be HR, it can be IT stuff the CEO has to be added…

And yes u cannot blame him if he changed some figures in your Excel Sheet and he wont even bother to drop u an email regarding the modification.

Why do the Higher Ups do it ? Sometimes just for the sake of showing Power and sometimes to prove their stupidity.

Anish

]]> By: Scott Wright http://www.bloginfosec.com/2008/04/29/intentional-security-blindness/comment-page-1/#comment-4470 Scott Wright Tue, 29 Apr 2008 11:32:36 +0000 http://www.bloginfosec.com/2008/04/29/intentional-security-blindness/#comment-4470 This same group is also susceptible to what I call the "immunity by importance" paradox. Many executives feel hindered by the rules that are supposed to apply to their staff, and feel that because their work is "different" or "special", they should be immune. However, nothing could be further from the truth, as evidenced by the growing phenomenon of "Whaling" - phishing attacks targeted at the "big fish" in an organization who often use their status as an excuse to bypass security - making C-Level management very attractive targets for attacks from outside (or even inside). This same group is also susceptible to what I call the “immunity by importance” paradox. Many executives feel hindered by the rules that are supposed to apply to their staff, and feel that because their work is “different” or “special”, they should be immune.

However, nothing could be further from the truth, as evidenced by the growing phenomenon of “Whaling” – phishing attacks targeted at the “big fish” in an organization who often use their status as an excuse to bypass security – making C-Level management very attractive targets for attacks from outside (or even inside).

]]>