BreachExchange mailing list archives
Everything I know about computer security I learned in kindergarten
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 4 Mar 2014 17:56:27 -0700
http://www.infoworld.com/d/security/everything-i-know-about-computer-security-i-learned-in-kindergarten-237588 After more than 25 years as a computer security consultant, I've learned that the "secret" to good computer security is to do the simple things that we all know we should be doing better. The more I'm considered an "expert," the more I realize that almost any child could tell the world how to protect computers. With apologies to Robert Fulghum, author of the perennially best-selling book, "All I Really Need to Know I Learned in Kindergarten [1]," here's my attempt to share the simple truths of good computer security. We are more alike than different Every company I visit thinks it's terrible at computer security, and truth be told, that's usually correct. They also believe other companies are doing security a lot better than they are, and they want to learn their protection secrets of success. Based on my experience consulting with the world's leading companies, this inquiry pops up most frequently: "How is company X doing computer security?" The reality is, with few exceptions, every company I've visited does a bad job at computer security. Every company does a few things very well, a few things OK, and most things horribly. They don't patch well, they don't do event monitoring [5] right, and they spend the majority of their time concentrating on projects that will not reduce risk by much. They also share the same outcome: They can be exploited at will by any motivated hacker. If there is any comfort in the computer industry, perhaps it's that everyone is as bad as your company at stopping malware and malicious intruders. Everyone is dealing with successful malware exploits, APT attacks [6], stolen intellectual property, and network cleanups [7]. They're all desperately trying to figure out how to decrease the badness. No one, not even me, has it all figured out. No "experts" can legitimately guarantee you that if you do X, Y, and Z, the badness will be gone. Talk to your friends If there is a hidden jewel in this ugly situation, it's that a lot of people and companies are going through the exact same ordeal. They're trying all sorts of strategies and tactics, with varying levels of success. They also want to learn what you're doing and share their own successes and failures. Many companies have reached out to other companies in their industry, formed informal coalitions, and shared their experiences. They share goals, projects, and vendor stories, and they establish formal networks. If they need help, they can quickly reach out to each other. If you or your company doesn't belong to a similar group, consider joining one or forming your own. If it hurts, stop doing it Little kids usually touch a hot stove only once. The single biggest problem in computer security is that most companies aren't very good at figuring out how they are hurting. It's as if they're constantly touching a hot oven and wondering why they keep getting burned. For example, most companies are very bad at patching, though better patching is the single step they could take to decrease risk most. The majority of companies know patching is a challenging problem, but don't understand, percentage-wise, how often unpatched software is responsible for exploits entering their environment. They don't fix it well enough -- then wonder why they keep getting burned. Break the cycle. Investigate and find out your company's top three problems. Then form task forces and work to remediate the major issues. Everything else should take a backseat. Stop touching the stove. Routines are good Going to sleep at the same time every night contributes to a better night's rest and a more productive day. Routines are good for security, too; hackers love targets that lack them. They are irresistibly attracted to companies that are inconsistent in their application of computer security defenses. In most companies, even computers performing the same role are configured and protected differently. They drift away from a common standard over time for a variety of reasons. Want to sleep better at night? Enforce consistency. Make sure computers performing the same roles have (as much as possible) the same configurations, same patches, and same computer security defenses. Every company where I perform security audits ends up with dozens and dozens of findings and recommendations. I know the companies that enjoy more consistency will have a better chance of implementing my recommendations. The inconsistent ones have to become consistent before they can implement fixes effectively. Good communication is the key to healthy relationships Part of why companies do such a bad job at computer security is the lack of good communications. For example, if someone actually knows the most common way a company is exploited, do they share it with the crew? It seems silly, but I'm constantly amazed at how often almost nobody in the company understands the top problems or the extent of the damage. I often interview computer security staff, executives, and regular employees, asking: "What is the No. 1 way hackers break into your company?" Rarely do I hear the right answer. When I do, I wonder why this one person knows it and no one else does. If so few know the right problems, how can the company make a concerted effort to solve them? Identify the top problems in your company and share them with everyone. Don't assume everyone knows what you do and is working on solving the biggest problems first. Usually, they don't and they aren't. Apologize if you hurt others If your company is responsible for protecting other people's important digital information, and that information is compromised, apologize right away, even if you're not legally required to do so. Don't delay the notification or, worse, try to keep the intrusion under wraps. Secrets never remain secret, and waiting too long can only cause more anger (and potential lawsuits). Being quick to apologize, staying honest, and promising to try your best never to do it again goes a long way toward regaining lost trust. There are lots of other recommendations I can make using the kindergarten analogy. But I want to hear the creative ones you can come up with. Anyone want to raise their hand?
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Everything I know about computer security I learned in kindergarten Audrey McNeil (Mar 13)