Everyone Offers “The Best” Security Advice

January 20, 2015 mitch tanenbaum

How many times have you seen computer experts telling you that they have the secret solution to making your computers secure? I don’t know how many I have seen, but it is a lot. There is, no doubt, some truth in each of these lists, but for everyone, the solution is a little different. The challenge is that most business people don’t have the time or expertise to figure it out for themselves. Unfortunately, rather than hiring an expert, they throw their hands up in defeat and don’t do anything – or pretty close to that.

Roger Grimes is an author of 8 computer security books, works for Microsoft as a computer security architect and is a frequent public speaker. Beyond that, I don’t know much about him, but after reading this column of his, it seems like he has some good points TO CONSIDER. My opinion, you MUST operate out of an information security strategy that everyone in the organization, including the Board if there is one, has signed on to. If you don’t do that and if you don’t have active support from the C-Level and Board, the results are not going to turn out well.

With that preamble, here is a synopsis of Roger’s advice. Read his column if you need more detail. Better yet, call me. Some of this is my take on what Roger said, so don’t blame him. At least not for all of it. 🙂

Using long passwords, hardening your computer systems and using anti-virus software is not sufficient. If it was, we wouldn’t be in the mess that we are in.
Be up to date on patching software. If you can’t get to it all, patch the most popular software first. Hackers are likely to go after Java and Flash before they go after PDFSplit. What you do patch, patch well (testing to see what it breaks, making sure that all systems have the patch, changes are documented, etc.)
Don’t get socially engineered. That means either online or in the physical world. I heard of a social engineering con that sent out disks that looked like Oracle patch disks. The hacker called the I.T. department pretending to be Oracle support and told them they were Fedexing a critical patch. Guess what – the organization deployed the patch (which didn’t break anything but did create a back door). When it comes to security, trust but verify. No, let me think about that. Don’t trust and do verify.
Two factor authentication is not a silver bullet but it helps. The Chase hack late last year was effective because they forgot to install two factor on one server and that became the hacker’s entry point. If they had installed two factor would it have kept the hackers out? We will never know, unfortunately.
Don’t use the same passwords across systems or websites. I know this is a king sized pain, but if you do reuse passwords, then when site X is comprised, Y and Z falls too. At a minimum, group passwords into a level of sensitivity (don’t use the same password for Facebook and your online banking. In fact, for a variety of reasons, your facebook password should be unique).
In a corporate environment, don’t have any permanent members in the HIGHEST security groups and then monitor the heck out of group additions. If you see any activity that you don’t expect then ALARM, ALARM, ALARM. Don’t make everything your highest group otherwise, you will drive yourself crazy.
Reduce the security events that you are monitoring to those that are actually important. Part of the reason that Target got hacked (but only part of it) was they were getting so many alerts that they became numb to them. If you get a thousand alerts a day, some people would say that is great, but smart people would say “how the hell do you figure out which ones are important?” Start with a few important alerts, get your process handled and then, if you still have resources available SLOWLY add more. Never add an alert until you have reviewed the cost (resources)/ benefit tradeoff.
Network traffic analysis. Do this. Both internally and externally. Once you have a baseline, then if you see abnormal traffic say to a database server or mail server, you should raise an alert. Likewise if you see a bunch of outbound traffic to a place that you don’t normally see (which, unfortunately, could be either China or Des Moines – the issue is not where, but rather, is this what we usually see), then investigate.
Whitelisting works better than anti-malware. While I agree with Roger on this one, it is a pain in the tush to make work at scale. What this means is that you only allow specific versions of specific software to run anywhere in the organization – servers, desktops, tablets, phones – employee owned or company owned. If you can pull this off – even if it is not perfect, it makes the bad guy’s job harder.
Focus on how, not what. That means you have to have a strategy (Again! Sorry.). You need to figure out what is important to YOUR organization and HOW a bad guy has in the past or likely will in the future, attempt to steal it. Are lost devices the killer for you? If so, then encrypt them and install kill switches on them (meaning either or both of you can remotely wipe the device or the device is smart enough that if it has not been able to phone home for x hours, then it wipes itself. There are lots of variants to this).

Roger says that his wisdom is the real deal and that the other guys are providing useless advice. IMHO, all advice, including Roger’s and mine, is useless if you don’t put some thought into it and see if it makes sense for your organization.

Start with the one or two MOST IMPACTFUL things to change. For each organization that is likely different. Get those done – AND DONE WELL – then focus on the next thing. Each time, look at the cost benefit trade-off. Is doing this going to have minimal security benefit yet make my employees want to slash my tires in the employee parking lot? If so, that is not the right thing to do. Sorry – last time for this post – YA GOTTA HAS A STRAGETY.

I wish there was a silver bullet – that would make everyone’s life easier. Unfortunately, at the moment, there isn’t one.

Mitch