Who is practicing security best practice?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.csoonline.com/security-industry/2838/who-practicing-security-best-practice

There is a term in the Information Security field that tries my patience in
no uncertain terms. That term is, "best practice". People love to bandy
this about in discussions about their security program, widget or what have
you. But, who is actually practicing?

Typically what is meant by this catch all phrase is that an organization it
taking the time to work on things such as making sure that their systems
are patched, data is encrypted, ssh keys are rotated and that there is a
breach response policy in place.

It is all well and good to say this. However, often it turns out that this
is little more than lip service for far too many organizations. The vast
majority of large companies have a security team that is overstretched,
underfunded and pushed so far down the organizational stack that they have
difficulty having any appreciable affect on the security posture of the
enterprise.

To illustrate, today I got to read that the US government is lacking on
"security best practices" and I know what the author meant but, I found
myself bellowing at the screen "what does that even mean?"

> From Reuters:

"The U.S. government itself seldom follows the best cybersecurity practices
and must drop its old operating systems and unsecured browsers as it tries
to push the private sector to tighten its practices, technology advisers
told President Barack Obama.


"The federal government rarely follows accepted best practices," the
President's Council of Advisors on Science and Technology said in a report
released on Friday. "It needs to lead by example and accelerate its efforts
to make routine cyberattacks more difficult by implementing best practices
for its own systems."

So, rather than use the term "best practice" I think that it would be more
appropriate to say that they are doing the "bare minimum" for security.
This habit that we have as security practitioners to rely on terms that
lack clear definition does not do us any justice collectively. We need to
become better at addressing the security issues of the day. There needs to
be a greater emphasis from ourselves to execute on defined repeatable
processes.

Case in point, the Edward Snowden leaks. We've all heard the information
that has been slowly making its way into the daylight. What has not have
nearly as much focus has been the failures on the part of the NSA to secure
their information.

Example from another Reuters article:

"Officials said that while investigators now believe they know the range of
documents that Snowden accessed, they remain unsure which documents he
downloaded for leaking to the media."

They remain, unsure.

This is a telling line in the article. It demonstrates that, as an example,
the NSA was not "practicing" the best security. They weren't even able to
articulate what documents had been purloined.

Troubling.

I would hope that we could move away from junk terminology like "best
practice" and start working on defined repeatable processes that can help
address issues like, oh, I don't know...logging?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.