"Effective" security - within reach?

Submitted by Mike Rothman on Fri, 2006-07-07 15:01.
::
This morning I stumbled upon Roger Grimes' column in InfoWorld and his recent post "Effective Security isn't easy, but it's possible." Link here. In this piece, he makes a number of contentions that make a lot of sense and highlights the point that security your environment is achievable, but there is a cost - and I'm not talking about money.

The thing I didn't see in Roger's column that I think is pretty important is every company's threshold for security is going to be different. Some are willing to accept a bit more risk in order to either improve the user experience or perform an important business function. But the key here is for the end user to MAKE that decision, as opposed to having it thrust upon them.

Some of Roger's ideas will work for your environment, some not so much. But this is the kind of simple stuff (in concept anyway) that can really make a big difference in your security posture.

So let's go through Roger's list of "effective security solutions" (in his order of effectiveness):
  1. Do not allow end-users to run or install unauthorized software - Bingo. This is why application control software is so effective at stopping malware. If users can't do stupid things, everyone is better off.

  2. Don't put unnecessary software on the authorized list - This is where the rubber of #1 meets the road of the customers. He specifically mentions Flash, Real Player and iTunes. I'd posit that for many employees, RealPlayer is the only one that is "optional." With iTunes being a prevalent distribution mechanisms for podcasts (where folks can get info directly related to their jobs), I'm not sure iTunes is the villain it once seemed. And anyone that surfs the web needs Flash. Do these add risk, yes! But I'm not sure a strategy preventing these applications is defendable.

  3. Implement default deny - Amen to this. Otherwise called the positive security model, unless you say it's good, it's not - so you block it. This can be implemented on routers and firewalls and will dramatically increase your perimeter security posture.

  4. Don't allow end-users to be logged in as Administrator - This is easier said than done, and Roger admits that. But getting new applications isn't a very good answer for most folks. Vista will do a lot to help this problem for Windows users.

  5. Automate comprehensive patching - This is great advice. A lot of companies have rigorous change control that takes weeks to authorize a patch. That is weeks of exposure. I say patch first, clean up the small percentage of messes later.

  6. Convert all inbound email to plain text - Hmm. I'm torn about this one. If you have application control implemented, I'm not sure this does anything but piss people off that their email looks like crap.

  7. Enforce long passwords - I don't buy this one. So it takes a password cracker 3 hours instead of 3 minutes. And the reality is that hackers get passwords via social engineering anyway. If you are worried about it, two factor (like BioPassword) could be a good alternative.

  8. Encrypt all confidential data by default - I'm not sure what this means and how you do it. This only solves half the problem. What happens when that data is loaded to a laptop or sent in an email?

  9. Spend less money on new security software and more money on reviewing the basics - This is the best one of the bunch. A misconfigured firewall is about as good as not having one, so yes - in all of our desire to get that shiny new thing, we tend to forget about the simple stuff that can kill us.

  10. Hack and audit your own network regularly - Again, this is great advice. Public companies need to do this and private companies should as well. You never know how effective your defense are until you try to break them.
So in general, Roger's list is real good. I agree that all of these are possible, given a CIO/CISO with an iron fist that can ram a no iTunes policy down the throats of the users. I know they exist, but I don't know too many.