June 22, 2005
(Computerworld)
This year I presented a series of talks on common security mistakes at conferences around the country. During these sessions, I learned from many of you what security mistakes persist in small and large organizations. Here are seven of the most significant ones.
1. Failure to realize that perimeter security is dead
Once upon a time, a firewall was an effective perimeter defense. But times have changed, and many companies have punched holes in their firewalls for vendor access, extranets, virtual private networks and a litany of "one-offs" that make our firewalls resemble Swiss cheese. Online threats have matured as well, coming in on ports not easily closed. VPNs, roaming laptops and wireless handheld devices also present new opportunities for threat vectors to do an end run into corporate networks.
Firewalls are still essential for defense, although most newer threats ignore firewalls because there are more lucrative opportunities.
The "virtual perimeter" consists of your corporate firewall, plus all of your business partners, vendors, remote users and wireless handheld devices. All of these represent entry points for communication -- and threats.
2. Failure to protect laptop computers
Many organizations are stuck in the time warp where antivirus software was enough to protect laptop computers.
Antispyware, of course, is essential. But other threats are unanswered, such as the loss of information when a laptop computer is lost or stolen. With hard drives from 40GB to 100GB available, a laptop can easily carry all of an organization's vital information, including customers, strategic plans, product designs and specifications. Yet most organizations don't bother to encrypt this information despite its strategic value.
Further, a corporate network is extended from its four walls to its laptop when it is connected via VPN, but most companies don't implement a firewall on the laptop to protect not only the laptop but also the entire corporate network from well-known threats.
3. Failure to institute effective change management
Complex information systems and networks have many stewards: network engineers, system administrators, database administrators, developers and operations engineers. Many organizations still permit some or all of these employees to make changes to production systems without justification, peer review, approval or record keeping.
For example, system administrators and network engineers -- even in critical infrastructure organizations -- make little changes here and there and tell no one. Rogue changes lead to system errors, unexpected downtime and security breaches -- noticed or not.
Change management is the full life-cycle process used to manage every change made to a production (and perhaps, development and test) system. The steps consists of a plan, request, review, approval, performance, verification and recording. While change management takes time to perform correctly, it more than pays for itself through the avoidance of unscheduled downtime and crisis management later on.
4. Failure to realize the importance of security awareness
The keeper of the castle constructs more moats and other fortifications to protect his jewels while failing to appreciate the possibility that those who will steal from him are his trusted servants. Most organizations behave similarly today, relying on technology to protect their information, and rarely considering that most security issues are associated with insiders who have access to sensitive information.
Although security awareness alone won't deter a determined plunderer, awareness accomplishes three important objectives:
It contributes to users' overall awareness of proper information handling and helps to reduce mistakes that can lead to security issues.
It informs users of the organization's safeguards, providing a deterring effect on would-be saboteurs.
It helps to make users more aware of colleagues plotting to steal or damage information, as well as situations that may make such an act too easy to pull off.
Most users lack the "digital common sense" required to ensure that an organization's electronic assets will enjoy the same standard of care and protection given to physical assets. Security awareness programs impart this knowledge to users in the hopes that future incidents can be avoided.
5. Failure to implement a defense-in-depth strategy
Banks protect their cash through a structured set of defenses, in most cases through two or more preventive controls (locking the vault and locking exterior doors), detection controls (intrusion alarms and surveillance cameras) and procedural controls (requiring a minimum of two or three people to open the vault door). The designers purposely included multiple layers of protection in the event that if one layer failed, the thief would have to break through both the exterior door as well as the vault door; and he would have to defeat cameras and intrusion alarms. An insider would also have difficulty acting alone since opening the vault requires two or three people with separate and unique keys or parts of a combination lock.
An organization's most sensitive digital assets require a similar standard of care, with multiple layers of authentication and access control, multiple intrusion-prevention and -detection components (for instance, both network- and host-based detection or prevention), and several persons having awareness and approval of changes.
6. Failure to take the spam and spyware threat seriously
Spam has been an annoyance for years, but you'd be surprised at the number of organizations that are still doing little, if anything, about it. Few organizations have an appreciation for the risks that accompany spam: the infiltration of malware, the threat of phishing and pharming attacks, or employees' exposure to a barrage of lewd and licentious content. Spam is increasingly harmful and no longer just a drain of human and electronic resources.
Spyware has been, and continues to be, the new "silent killer" on personally and institutionally owned PCs. For years spyware has been flying below the radar of firewalls, antivirus software and intrusion-detection systems. Spyware got its start as "adware" that was used to track users' Internet usage, but spyware has become increasingly aggressive and hostile in its tactics, with the ability to alter a PC's behavior or record keystrokes and mouse clicks.
Antispyware software has had difficulty making traction into homes and businesses, and perhaps the only way that antispyware will be legitimized is through the incorporation of antispyware into antivirus programs, a phenomenon of consolidation that we are seeing today.
7. Failure to implement a vulnerability management strategy
Patching systems by hand or with a tool set is the only step that many organizations take to protect their systems against mechanized threats. The use of patching tools is just a part of an end-to-end process that too few enterprises have adopted.
Other vital components include:
Notification of vulnerabilities and patches: Reliance upon a single source of information, or the failure to get information to the right people with a minimum noise level, will result in security advisories going unheard or unheeded.
Risk analysis: Depending upon a software or hardware vendor to assign criticality ratings to a security advisory ignores the most important item: your environment. Rather than relying on Microsoft Corp., Oracle Corp. or Cisco Systems Inc. to tell you how important the latest security flaw is, why don't you find out for yourself how important the matter is in your shop. Depending upon your architecture, applications or processes, Microsoft's "critical" flaw could be your low risk and vice versa.
Record keeping: The majority of organizations have an unclear idea of exactly what assets they have that need patching, and an even murkier indication on which systems need patching or have been patched in the past. This has led many to adopt a "spray and pray" method: Blast the patch everywhere and hope that it reaches enough systems.
Testing: When the mean time to exploitation shrank from months to days, testing patches to make sure they don't disrupt operations was frequently the step that was reduced or skipped altogether. Listen, patches sometimes break things that may result in unscheduled downtime.
Take any of these away, and you're going to be working too hard or failing to get some systems patched.
Other mistakes
There are others that I want to mention:
Failure to get executive support for your security program.
Whether it's policy, incident response, awareness or incorporating security into the development life cycle, it's a whole lot easier when executives are behind the program. Otherwise it's difficult to get other departments to buy in and help you meet your objectives.
Thinking that security is only a technology problem. This should be evident since I've already discussed change management, security awareness and the nontechnical components in patch management such as risk analysis and testing.
Failure to track key security metrics. If you don't measure important aspects of your environment (not just technology, but also business processes and people), it will be difficult to know whether your efforts are making a difference.
Failure to create and use a security incident response plan. Maybe it's been a little too quiet in your organization, or you've had incidents but you don't know it. Or, perhaps you have had an incident but haven't learned from it? I'm not even sure I feel sorry for you.
Have I missed any?
Where to begin
It may not be easy to know your starting point. I suggest you begin with foundation components such as security policy and awareness, and then look at strategic items such as security metrics, incident response, development life cycle, change management, vulnerability management and security architecture.
Another way to look at this might be to identify your organization's digital assets, and examine how they are protected and monitored today. You might also consider seeking the advice of a security consultant who focuses on high-level business issues and can offer a fresh and valuable point of view.
