4 Unreasonable Security Practices You're Probably Following

Email Print Digg This Add to del.icio.us

As the year closes out, it's time to look back at security and contemplate what it is we have been doing for so long. The idea of "reasonable" comes to mind in relation to securing the enterprise, and of course all the unreasonable ways we've approached it.

In this article, we will look at things differently than most commonly accepted practices, and it will be controversial. You may not agree with me (yet), but I hope that it inspires thought on how to move ahead as new security challenges are coming to light.

So what is unreasonable?

Antivirus

If you were a police officer and I handed you a bullet-proof vest and told you that it was effective 18 percent of the time or less, how much confidence would you have in the solution? This is exactly what we as security practitioners, law makers and auditors are selling to the enterprise. Personally, I think the term "coasting on inertia" is a perfect way to describe the antivirus industry as we know it today. Threat landscapes have changed so much that it's actually laughable to believe antivirus does anything more than stop stupid.

Yet regulatory compliance efforts and best practices all still tell us that antivirus is a critical part of a security program. Sure, in 1996 it may have been, but look at any of the latest techniques being used for fraud or data theft. How many use worms or traditional techniques?

Intrusion Detection Systems

How many vendors have come in to sell you on this reactive technology claiming it will give you razor-sharp insight into what's going on inside your environment? I can count at least 10, but the devil is in the details here. Personally, I've spent an inordinate amount of time and energy "tuning" the intrusion detection system (IDS) only to find that it never stays tuned. It's like a cheap guitar from Walmart. It never actually works right, and you are always messing with it trying to get it right. Your environment is constantly changing, and hence, you will never stop this tuning process. Out of the gate, you stand a 50/50 chance of filtering out events that may actually have value to you. Run the solution wide open and you will surely lose that same data in a sea of white noise. It's not reasonable to believe an IDS is going to add significant value to your security stance.

Security Information and Event Management Systems

These are my favorite because what they actually do is collect garbage from all the other point solutions and spit out garbage on the other end. The added bonus here is that they are very expensive and offer nearly no return to the enterprise. To be fair, I too, bought into the hype of these systems in the early part of the decade. Using it over the years taught me that these solutions are very complex, cost a lot of money, take a lot of human resources, and when it came down to it, they failed in performance when it really mattered.

Data Leakage Protection

This one is a relatively new player in the security scam market. The basic idea here is that this solution monitors your environment for information being passed out the door. Things like HIPAA, PCI and other types of data are carefully monitored ... at a traditional network choke point. Many of these data leakage protection (DLP) solutions are purely signature-based as well. This architecture is like placing a security guard at your front door with a stack of 20 pictures and you telling him not to let these people out but assume everyone else is ok. Oh, and of course, there is no guard at the back door or side entrances. It's unreasonable to believe you are going to effectively stop data from leaking at a single egress point. Look around you — chances are you will see people with mobiles and myriad technologies and routes out of the brick and mortar walls of your organization, which means they can steal data all day long and pass it out of the enterprise out of band, and there is no way you're going to know. DLP is marginally effective and hence, unreasonable.

While I'm on the topic of compliance, it truly is not reasonable. Just ask Walmart, which sits on the PCI board yet had a PCI incident. If a board member organization cannot meet compliance, how can they expect the rest of us to? We could write a book here about why regulations, such as PCI, are failing, but the point of the matter is we spent tons of money, time and assets chasing "compliance." Even if this stamp of approval is achieved, we have learned it does not prevent incidents from happening. Compliance efforts are broken, and thus they also make the list of unreasonable things we do.

'Reasonable' Security Actions

But all hope isn't lost, there are things that are reasonable. The very first thing I am going to list is understanding risk tolerance of senior management. If you can successfully understand how much risk management is willing to undertake, you can effectively design a security program that works for your enterprise but also has the support of those who will be responsible when something does go wrong. The last thing you want is a risk averse management team throwing you under a bus when something happens that they cannot tolerate. This goes hand in hand with risk sign off. If you understand how much risk management will tolerate, you stand a much better chance of having them accept it and thus sign off on it.

Outsourcing risk is now becoming reasonable. Cloud computing solutions offer new ways to save money and change quickly, and thus they allow us to outsource risk. It's important to understand, however, that you cannot shift risk here. The risk is still all yours.

Assessing your data is reasonable. In the spin of everything, we've lost sight of what it is we're really supposed to be doing — protecting the data. Who cares if there is a new worm or if Cindy in accounting wants to use Google apps to get her work done. The fact is that computing environments are going to continue to evolve and change. Go with it as long as you know where your data lives and how to protect it.

The final thing I want to note as reasonable is working with or actually becoming an attorney. Security is no longer about watching packets wiz by on a wire. There are laws, regulations and serious fines associated with mismanaging enterprise security. Criminal charges are now on the table as well. Be sure you align with legal before you find yourself on the bad end of a bad law.

I'd like to recognize two people with whom I worked as references for this piece. Keith Young, Security Official at Montgomery County MD and Robert "Grizzly" Surenko, Security Architect at Montgomery County MD. Our early morning coffee discussions have yielded what you have read above.

Email Print Digg This Add to del.icio.us