Usually, I take my favorite coffee beans, grind them as coarse as my conical burr grinder will go (which is just right for my French press) and I take them to work and run them through a the press at my desk. I ran out yesterday morning, so I will not be drinking coffee in the office today. This is a bad thing, but it's really just an analogy for bad security.
There are some things in life where mediocrity is better than nothing at all. For me, coffee isn't one of them. Security shouldn't be, either.
Slipshod security isn't security at all -- see Kees' Security Badness Hierarchy and SANS Top 25 Programming Errors for examples. In fact, it's worse than no security simply because you're lulled into believing you're secure when you're not.
Herein lies the trifecta of threats. All three of code/products, configuration and users must be worked on. Well educated users and the best-of-breed security products won't do much to increase your security stance if your IDS is using a default policy and is constantly overloading your security staff with alerts or missing obvious attacks. A well-configured enterprise security solution won't be secure if the users fall victim to phishing and social engineering. Careful and educated users and a spotless configuration on your infrastructure won't help if your web developers write code that's vulnerable to SQL Injection.
Now, if you'll excuse me, I think I'm going to try to find some Mountain Dew.
Agreed. In fact, this false sense of security makes some organizations resist implementing better security measures since the general belief is they are already secure enough.
ReplyDeleteYou paint a pretty good picture of things going on to make a bad situation worse.
ReplyDeleteEven if everything was perfect in these areas, one still would not be secure, as the entire security model is dysfunctional. The industry is no more than a conglomeration of bolt-on point solutions, none of which address the inherent design flaw in operating systems, the lack of internal controls.
The end result is that there is no authorization component to security post-authentication, and no amount of education/training can prevent carelessness, lazyiness, ignorance, stupidity and vengeful bahavior.
Regardless, I liked your post.
I agree, there's no such thing as perfect security. The fact that a "security industry" exists means that the money it brings in often trumps its effectiveness. When a product, methodology, or trend becomes popular and competitive enough to earn its share-holders lots of money, its progress is often hamstrung, staying just "good enough" to be competitive. At that point, it's very little about the security, and very much about the Benjamins.
ReplyDeleteNot to wax Schneier-Philosophical here, but that's just another variant of the security trade-off game.
Amen to that. Security isn't the expensive black box on your desk or in your data center. It's the continual conversation with each other on security and the continuous improvement cycle of addressing strengths, weaknesses, opportunities and threats in the organization, not just the network.
ReplyDelete