Complacency Will Get You Killed, Security Researcher Says
April 9, 2007 Alex Woodie
Think you’ve surrounded yourself with enough security to prevent getting hacked? Think again. Good security practices require you to assume you will be hacked, and places the onus on how you react after the fact, according to a new report written by Mike Rothman, an independent security expert, who cheerfully titled it “The 10 Darkest Truths About Information Security.”
Rothman’s paper, which was distributed by the security software firm McAfee, is a chilling reminder that, most of the time, your security provisions will not stand up to hackers, who are out there gunning for people like you and organizations like yours every day. The only reason you’re not scared silly is because they haven’t gotten to you yet. If you’re lucky, they never will. But who wants to rely on luck? If you’re not paranoid, you should be.
“The fact is, complacency will get you killed,” Rothman writes. “New attacks are happening at a ferocious pace, users are willingly giving away their private information, and today’s standard defenses are no longer enough to protect critical information. Those that cannot make a compelling case for continued investment in proactive defenses against these attacks have no chance against the bad guys.”
Rothman’s first truth–dare we say the most important truth?–is that you will be hacked. “The sad truth is that your network and applications can be compromised at any time,” he writes. “It usually takes them less than 10 minutes, and there isn’t much you can do to stop it. So the first step is to acknowledge there is no such thing as 100 percent security.”
The second truth is accepting that you can’t get everything done. Instead, you must prioritize and tackle the most important problems first, much like a battlefield medic performing triage. According to Rothman, users are the path of least resistance (the third truth), so that probably means you should explain to them the principles of Safe Internet Behavior, and maybe instill a little bit of healthy paranoia in them, too.
Applications–particularly Web applications–are the next weakest link. Do your best to keep them patched, and you’ll minimize your exposure, Rothman advises. “If there is a positive spin here, it’s that there aren’t enough bad guys to go around either, so the hope is that you won’t be targeted. But hope is not a strategy. Do a Web application scan and patch up the holes ASAP–before your number comes up,” he writes.
Next, install an integrated suite of security software–just running antivirus software doesn’t cut it anymore. “You want to add more sophisticated defenses, including anti-spyware, host intrusion prevention, application control, and data encryption to protect those devices,” he says. “The good news is, many of these functions are increasingly being bundled into a single offering that can be managed centrally. That’s a good thing.”
If you’ve followed Rothman’s advice up to this point, you’re probably exhausted. The good news is, you don’t have to do everything yourself. It’s okay to outsource some functions, such as e-mail security or firewall monitoring.
Remember the first rule about getting hacked? Rule number seven is where that rubber meets the road. “Make sure you know exactly who is supposed to do what at the moment of truth,” Rothman writes. “Ensure that senior management is on board with your plan and that you will be able to recover and remain operational.”
Rules eight and nine deal with the Payment Card Industry (PCI) data security standard, and IT auditors. Rothman’s advise: take them both seriously, and don’t piss off your auditor.
Lastly, remember there’s no glory in security. If your IT architecture is functioning in its usual state of semi chaos, you’re still in the game. “Security is a process, not a product. It’s a culture, not a service,” Rothman writes. “A lot of security professionals want to write a check and make the problem go away. Unfortunately, if it were that easy, everyone would be doing it.”