Recycling the Same Security Advice

There is little innovation in the security industry and the same advice shows up ad nauseum.   Take this article at Dark Reading, What Every CFO Should Know About Security Breaches. is a recent example.

TYSONS CORNER, VA. — CEOs and CIOs have gotten religion about cybersecurity, but what about those who hold the purse strings? Experts say they need a hard lesson, too.

Three clichés in a row and we haven’t even cleared the first paragraph.  It is followed by the same kinds of advice directed, supposedly at CFO’s who we all know show up in force at security conferences to be lectured to by “experts.”

Let’s look at some of the advice our panelists hand out.  Quoting one of those Pokemon Ponemon Institute estimates with big scary numbers,

“What that says is that it pays to make the right [security] decisions from a financial perspective.”

Thank you genius, there is almost no CFO on the planet who endeavors to do that.  Next up this joke,

“In some ways, security is IT’s revenge on the finance department — they say, ‘You don’t understand what we do, so we’ll spend your money however we like,” joked Kevin Mandia, CEO of security forensics firm Mandiant.

Perfect, that should get a larger budget for next year.  Then this,

Michelle Schafer, vice president of the security practice at public relations firm Merritt Group, said companies should take the time to develop a breach response program — and rehearse various scenarios — before a compromise occurs.

Glad they brought you along Michelle.  No CFO has ever heard of an incident response team.    One more precious nugget unearthed from the finest minds,

“It’s so easy to go off spending money on security without knowing what you’re doing,” Moodispaw said. “We’ve seen companies look at firewalls and say, ‘Hey, if one is good, then we should buy five or six.’ You need to counsel your organizations to think twice about buying the latest, hottest things and focus on what works.”

What works has been known for a long time too.  If they are buying crap they don’t need to entertain the infosec team, fire the manager.  The odd thing about this article is the total absence of any quotes from the “CFO’s” who were the target of this panel.  I suppose that is because if you interviewed them you find an accounts payable analyst who went to get out of the office instead of a CFO.  I sat in the audience on a panel discussion that was aimed at CEO’s out of curiosity years ago.  Only two hands went up of the twenty or so people there when they asked who was a CEO.  One left before the panel was over, talking on his (then) status signaling Blackberry as he walked out of the room.

There appear to be only two kinds of security articles, the recycled advice like this one and, of course, the “they just don’t get it” story.  We have reached the point where we should be writing better software so a  casual user can click on any link or open any file without fear of surreptitious installation of malware.  We haven’t; we won’t because time to market and return on investment will always predominate.

Central Control System Risk

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element.  These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system;  is the control console system protected?  Is the back end database on it’s own server or is it part of a shared environment?  Are the updated signatures delivered over a private physical network or at least a separate VLAN?  Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems.  Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems.  They are assigned additional duties without additional personnel or it was left out of the budget.  It can happen to the best.  There have been numerous luminaries in the information security field who have been hacked.    Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc.  you should contract someone who can and then audit them, regularly.

The Threat is Consistent

Those whom wish you ill or would gladly steal from you care little about the global economic downturn.  They are not sending out fewer exploits as attachments to spam, they have not stopped looking for ways to transfer money from your bank account or use your office PC’s as zombies.  When money is tight you need to defend yourself intelligently.  Your number one priority should be keeping your software patched.  Your second priority should be scanning any externally facing web applications for common vulnerabilities.  If you don’t have the skills, hire someone who does.  Finally,  take the time to educate your employees on safe computing practices.  Again, If you lack the skill bring in a professional trainer.