[PLUG] Are "standard security procedures" an oxymoron?
Paul Heinlein
heinlein at madboa.com
Tue Nov 20 21:57:47 UTC 2012
On Tue, 20 Nov 2012, Keith Lofstrom wrote:
> A friend taught me that con men exploit smart people more easily
> than dumb people, because there are fewer ways to be smart than
> dumb, making smart people (and their blind spots) more predictable.
>
> I am helping a friend set up security procedures for a business in a
> highly regulated industry, with acres of forms and checklists and
> standards that are supposed to result in secure systems. Many look
> like brainfarts from academics working from unproven hypotheses, who
> haven't collected the histories of real exploits, much less fought
> an exploit themselves.
There are essentially three security tasks, each one more difficult
than the next:
1. Secure your network exposure.
Most IT work tends to begin and end here, but it's actually about the
easiest layer of security to get right. The mantras are well known:
defense in depth, timely patching, penetration testing, configuration
management, firewalls, intrusion detection, etc.
2. Secure your physical exposure.
Physical protection of assets is typically more difficult, if for no
other reason than it's expensive and the ROI will never be realized if
things go well. It involves storage crypto, really good locks and
alarms (or an isolated island headquaters), fire suppression, solid
electrical and network connections, insurance, tested
business-continuity and/or disaster-recovery plans, redundant
hardware, etc.
3. Secure your people.
This is easily the hardest security task, and the most likely avenue
for crooks, vandals, and other ne'er-do-wells. All the network
and physical security in the world won't keep employees from re-using
passwords, divulging sensitive information via phishing attacks (or
even on public mailing lists), using USB sticks of unknown origin, or
visiting web sites with malicious files.
> Standarized security systems probably have standardized holes,
> suitable for automated exploitation.
Good user training is the best response to attacks, automated or
targeted. Users who can identify and report suspicious e-mail
messages, service behavior, and even social interactions are the
difference between a well-administered network and a secure network.
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W
More information about the PLUG
mailing list