Wednesday, October 30, 2013

Assuming the assumption

Fresh out of SIRACon 2013, I'm a-bubble with ideas and rants, ready to hit the security trail cracking.   But back in the real world, I get a taste of some of the same-old same-old problems that we security folks stumble over: bad assumptions.

It bears repeating that we should always question our assumptions, especially until they're formally validated in a meaningful way.  But many of us still take simple things at face value when we shouldn't.    And especially if we're told the information third-hand. After all, people will tell the security director what they think she wants to hear.

For example, I recently ran into an organization that got a nasty outbreak of malware.   They had assumed that every workstation was decently patched and was running updated AV.  My rule of thumb is to expect 80% average coverage out of the gate in a well run organization with no prior checking.   And of course, I'm inclined to use my handy dandy scanning tools to bring that number up to at least 95%.  

In the aftermath of the outbreak, it turned out my assumption was closer to the reality than theirs.  The unprotected machines were slammed pretty hard... and now they know better.

Not that this was an aberration.  I've seen this time and time again with firewall rules, encryption policies, user privileges, facility authorization lists, key inventories... anything that is complex, tedious to manage and invisible without formal review.  Don't assume something that's been sitting for a long while is still the same.  Don't guess on how something was set up by a previous administration.  Don't believe what you're told. Double check.  It's your responsibility to know better.  That's what you're paid to do.

No comments: