Thursday, October 31, 2013

13 Warning signs that your infosec program is stuck in the wrong decade

  1. Over-focus on operational controls: Firewalls, anti-virus, passwords.  Under-focus on security architecture, systems analysis, and business needs.
  2. Risk analysis is to do a gap analysis against the list of best practices du jour.
  3. Incident response means everyone run around with their hair on fire.
  4. A "post-mortem" means patch the hole and move on.   Root cause?  It was that hole. And we just fixed it!
  5. "We recognize that privacy is very important to our customers.  Our website uses Secure Sockets Layer so that information you provide to us is protected over the Internet."
  6. Security is all about the CIA triad, but when push comes to shove, it's availability that wins.
  7. Vulnerability scanning is done once every few months.  Against the Internet perimeter.  And you only look at the "highs"
  8. Access controls are binary: you can either see nothing or you can see everything.
  9. Security policies are inches thick, nobody reads them.
  10. Authentication is entirely about really complicated passwords, rotated frequently.
  11. Paper shredders everywhere because physical security is important, dammit!  Laptops and drives rarely encrypted.
  12. The IT department manages the IT and the security department adds the security afterwards.  
  13. Application security means our software supports strong passwords.

Any additions?  Please post here or on your Myspace page!

Wednesday, October 30, 2013

Assuming the assumption

Fresh out of SIRACon 2013, I'm a-bubble with ideas and rants, ready to hit the security trail cracking.   But back in the real world, I get a taste of some of the same-old same-old problems that we security folks stumble over: bad assumptions.

It bears repeating that we should always question our assumptions, especially until they're formally validated in a meaningful way.  But many of us still take simple things at face value when we shouldn't.    And especially if we're told the information third-hand. After all, people will tell the security director what they think she wants to hear.

For example, I recently ran into an organization that got a nasty outbreak of malware.   They had assumed that every workstation was decently patched and was running updated AV.  My rule of thumb is to expect 80% average coverage out of the gate in a well run organization with no prior checking.   And of course, I'm inclined to use my handy dandy scanning tools to bring that number up to at least 95%.  

In the aftermath of the outbreak, it turned out my assumption was closer to the reality than theirs.  The unprotected machines were slammed pretty hard... and now they know better.

Not that this was an aberration.  I've seen this time and time again with firewall rules, encryption policies, user privileges, facility authorization lists, key inventories... anything that is complex, tedious to manage and invisible without formal review.  Don't assume something that's been sitting for a long while is still the same.  Don't guess on how something was set up by a previous administration.  Don't believe what you're told. Double check.  It's your responsibility to know better.  That's what you're paid to do.