The New KISS Rule: Keep Information Security Simple

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/sophoslabs-insights/the-new-kiss-rule-keep-information-secur/240161794

Maxim Weinstein September 25, 2013

"Complexity is the worst enemy of security." Bruce Schneier said that in
relation to the challenge of securing increasingly complex IT environments,
but the same can be said of information security solutions themselves. As
security professionals, we love to be in control and to have every
available knob and dial at our disposal. Yet the more complex a security
system is, the less likely we are to take full advantage of available
features, to apply policies consistently, and to avoid configuration
mistakes.

Have you ever opted to delay or avoid deploying a security feature because
it just required too much time to configure properly? HIPS is a technology
that provides valuable protection against new strains of malware for
workstations and servers. Some HIPS implementations require just the check
of a box to toggle them on, while others require weeks or months of tuning
and testing. The latter provide more fine-grained control and perhaps even
better security… if you use them. Potential doesn't stop attacks; deployed
solutions do.

Complexity can also rear its ugly head when trying to consistently apply
security policies across systems. Data loss prevention (DLP) is all the
rage these days, but applying rules uniformly across workstations, servers,
mobile devices, email systems, and network gateways can be a nightmare.
Multiple systems, each with their own management consoles, policy
definitions, and terminology conspire against consistent results.
Integrated single vendor solutions, long the targets of security
professionals' disdain, may be worth reconsidering if they can ensure
consistency and require less of your team's attention.

Simplicity also helps to avoid configuration mistakes. Firewalls and IDS
systems are classic examples where rule sets and configuration options
quickly become so elaborate that errors are virtually inevitable. This
argues for both simplifying the rules where possible — fewer IDS rules that
can be more carefully tuned and monitored may be more effective than a more
comprehensive set — and for seeking out network security solutions with
simple, uncluttered interfaces that make it easy to keep track of
everything you need to manage.

Easy management, push-button configuration, and product integration have
not historically been the "holy trinity" of security. Demands for greater
control and vendor diversity have pushed simplicity to the background. But
with growing complexity contributing to mistakes, inconsistencies, and
protection capabilities sitting on a shelf, it may be time to rethink the
approach. Perhaps it's time to keep information security simple.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.