A few days after getting hired for my current position, I poured a cup of the office-brewed coffee that looked like tea. "Who would brew such weak coffee!?" I pondered. I checked the basket and filter to see how much coffee had been used. The basket was empty. This tea-like substance was the result of hot water washing crusted, ages-old coffee residue from the basket into the carafe. I gagged upon seeing this, and have never tried the coffee at work again.
Usually, I take my favorite coffee beans, grind them as coarse as my conical burr grinder will go (which is just right for my French press) and I take them to work and run them through a the press at my desk. I ran out yesterday morning, so I will not be drinking coffee in the office today. This is a bad thing, but it's really just an analogy for bad security.
There are some things in life where mediocrity is better than nothing at all. For me, coffee isn't one of them. Security shouldn't be, either.
Slipshod security isn't security at all -- see Kees' Security Badness Hierarchy and SANS Top 25 Programming Errors for examples. In fact, it's worse than no security simply because you're lulled into believing you're secure when you're not.
Herein lies the trifecta of threats. All three of code/products, configuration and users must be worked on. Well educated users and the best-of-breed security products won't do much to increase your security stance if your IDS is using a default policy and is constantly overloading your security staff with alerts or missing obvious attacks. A well-configured enterprise security solution won't be secure if the users fall victim to phishing and social engineering. Careful and educated users and a spotless configuration on your infrastructure won't help if your web developers write code that's vulnerable to SQL Injection.
Now, if you'll excuse me, I think I'm going to try to find some Mountain Dew.
Posts
