[PLUG] Are "standard security procedures" an oxymoron?

Paul Heinlein heinlein at madboa.com
Tue Nov 20 13:57:47 PST 2012

On Tue, 20 Nov 2012, Keith Lofstrom wrote:

> A friend taught me that con men exploit smart people more easily 
> than dumb people, because there are fewer ways to be smart than 
> dumb, making smart people (and their blind spots) more predictable.
> I am helping a friend set up security procedures for a business in a 
> highly regulated industry, with acres of forms and checklists and 
> standards that are supposed to result in secure systems. Many look 
> like brainfarts from academics working from unproven hypotheses, who 
> haven't collected the histories of real exploits, much less fought 
> an exploit themselves.

There are essentially three security tasks, each one more difficult 
than the next:

  1. Secure your network exposure.

Most IT work tends to begin and end here, but it's actually about the 
easiest layer of security to get right. The mantras are well known: 
defense in depth, timely patching, penetration testing, configuration 
management, firewalls, intrusion detection, etc.

  2. Secure your physical exposure.

Physical protection of assets is typically more difficult, if for no 
other reason than it's expensive and the ROI will never be realized if 
things go well. It involves storage crypto, really good locks and 
alarms (or an isolated island headquaters), fire suppression, solid 
electrical and network connections, insurance, tested 
business-continuity and/or disaster-recovery plans, redundant 
hardware, etc.

  3. Secure your people.

This is easily the hardest security task, and the most likely avenue 
for crooks, vandals, and other ne'er-do-wells. All the network 
and physical security in the world won't keep employees from re-using 
passwords, divulging sensitive information via phishing attacks (or 
even on public mailing lists), using USB sticks of unknown origin, or 
visiting web sites with malicious files.

> Standarized security systems probably have standardized holes, 
> suitable for automated exploitation.

Good user training is the best response to attacks, automated or 
targeted. Users who can identify and report suspicious e-mail 
messages, service behavior, and even social interactions are the 
difference between a well-administered network and a secure network.

Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W

More information about the PLUG mailing list