Volume 4, Number 13 -- April 10, 2007

Complacency Will Get You Killed, Security Researcher Says

Published: April 10, 2007

by Alex Woodie

Think you've surrounded yourself with enough security to prevent getting hacked? Think again. Good security practices require you to assume you will be hacked, and places the onus on how you react after the fact, according to a new report written by Mike Rothman, an independent security expert, who cheerfully titled it "The 10 Darkest Truths About Information Security."

Rothman's paper, which was distributed by the security software firm McAfee, is a chilling reminder that, most of the time, your security provisions will not stand up to hackers, who are out there gunning for people like you and organizations like yours every day. The only reason you're not scared silly is because they haven't gotten to you yet. If you're lucky, they never will. But who wants to rely on luck? If you're not paranoid, you should be.

"The fact is, complacency will get you killed," Rothman writes. "New attacks are happening at a ferocious pace, users are willingly giving away their private information, and today's standard defenses are no longer enough to protect critical information. Those that cannot make a compelling case for continued investment in proactive defenses against these attacks have no chance against the bad guys."

Rothman's first truth--dare we say the most important truth?--is that you will be hacked. "The sad truth is that your network and applications can be compromised at any time," he writes. "It usually takes them less than 10 minutes, and there isn't much you can do to stop it. So the first step is to acknowledge there is no such thing as 100 percent security."

The second truth is accepting that you can't get everything done. Instead, you must prioritize and tackle the most important problems first, much like a battlefield medic performing triage. According to Rothman, users are the path of least resistance (the third truth), so that probably means you should explain to them the principles of Safe Internet Behavior, and maybe instill a little bit of healthy paranoia in them, too.

Applications--particularly Web applications--are the next weakest link. Do your best to keep them patched, and you'll minimize your exposure, Rothman advises. "If there is a positive spin here, it's that there aren't enough bad guys to go around either, so the hope is that you won't be targeted. But hope is not a strategy. Do a Web application scan and patch up the holes ASAP--before your number comes up," he writes.

Next, install an integrated suite of security software--just running antivirus software doesn't cut it anymore. "You want to add more sophisticated defenses, including anti-spyware, host intrusion prevention, application control, and data encryption to protect those devices," he says. "The good news is, many of these functions are increasingly being bundled into a single offering that can be managed centrally. That's a good thing."

If you've followed Rothman's advice up to this point, you're probably exhausted. The good news is, you don't have to do everything yourself. It's okay to outsource some functions, such as e-mail security or firewall monitoring.

Remember the first rule about getting hacked? Rule number seven is where that rubber meets the road. "Make sure you know exactly who is supposed to do what at the moment of truth," Rothman writes. "Ensure that senior management is on board with your plan and that you will be able to recover and remain operational."

Rules eight and nine deal with the Payment Card Industry (PCI) data security standard, and IT auditors. Rothman's advise: take them both seriously, and don't piss off your auditor.

Lastly, remember there's no glory in security. If your IT architecture is functioning in its usual state of semi chaos, you're still in the game. "Security is a process, not a product. It's a culture, not a service," Rothman writes. "A lot of security professionals want to write a check and make the problem go away. Unfortunately, if it were that easy, everyone would be doing it."

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

HP, IBM and Sun Server Deals via RSS

                                                  · Subscribe to our Specials via RSS
                                                  · Up to 80% off manufacturer's list price
                                                  · Multi-million dollar inventory

We Buy & Sell new and remarketed servers,
upgrades, peripherals and parts.

HP Proliant, IBM xSeries, IBM pSeries, RS6000,
HP Integrity, Sun Microsystems, Cisco, more…

View or Subscribe to:
Special Offers on Servers and Upgrades

Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Kevin Vandever,
Shannon O'Donnell, Victor Rozek, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Linux Networx:  Clusterworx streamlines and simplifies cluster management
ANSYS:  Engineering simulation solutions for more than 30 years
Scalix:  Advanced email and calendaring for power users in the enterprise

The Four Hundred
Hello, New York? Buy IBM

Security Still an Issue in 2007 for System i5 Shops

A Trained IT Staff Is A Happy and Competitive One

As I See It: The Legacy

Four Hundred Stuff
CYBRA Finds the 'Edge' for Native i5/OS RFID Software

Lakeview Adds More Autonomics to MIMIX

Thoughts on the Coexistence of Full Test Automation and Manual Testing

Help/Systems Boosts Graphics with Robot/NETWORK V10

Big Iron
IBM Replies To Platform: No More Compatibles

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
FTP Means 'First Try Pinging'

Improving Upon WDSC's Table View

Admin Alert: Graphically Moving i5/OS Objects with OpsNav

System i PTF Guide
March 31, 2007: Volume 9, Number 13

March 24, 2007: Volume 9, Number 12

March 17, 2007: Volume 9, Number 11

March 10, 2007: Volume 9, Number 10

March 3, 2007: Volume 9, Number 9

February 24, 2007: Volume 9, Number 8

The Windows Observer
Microsoft Loosens the Licensing Screws for Vista Virtualization

Microsoft Patches Animated Cursor Flaw in Windows

XenSource Extends and Improves Windows Support with 3.2 Release

Intel Shows Off Future Penryn and Nehalem Chip Designs

The Unix Guardian
Sun Boosts Performance of UltraSparc-IV+ Chips

Intel Shows Off Future Penryn and Nehalem Chip Designs

IBM Offers Rebates on System p5 and ISV Software Bundles

The X Factor: Virtualization Belongs in the System, Not in the Software

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Storage Guardian
IT Security
Vibrant Technologies

AMD Pushes Opteron Clocks to 3 GHz, Will Miss Q1 Revenue Targets

Xandros Server 2 To Get Integrated Virtualization and Messaging

X4 Chipset from IBM Tuned for Tigerton Quad Core Xeon MPs

The X Factor: Virtualization Belongs in the System, Not in the Software

But Wait, There's More:

Is the Adoption Rate of Server Virtualization Technology Over Estimated? . . . Goldman Sachs Says IT Spending Will Soften a Bit in 2007 . . . Sun Offers Pre-Bundled SLED 10 on Opteron Workstations . . . rPath Linux Packages Up Amazon's Grid Computing . . . uXcomm Buys Virtugo to Bolster Virtualization Management . . . Complacency Will Get You Killed, Security Researcher Says . . .

The Linux Beacon


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement