How Much Security is Enough?

How secure is your company?  Are you spending too much or not enough on security?  How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)

Much of what is spent is to fix an irritation or meet a regulation.  I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive.  When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network.  This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie.  We managed this on a relatively small budget and a user base with admin access over their local machines.  It is possible to have tight security without spending a fortune.  Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat.  The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked.  Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology.  Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.

At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert.  If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.

Advertisements

Password Sync or SSO?

I’m wondering why organizations are still doing password sync over disparate systems rather than Single Sign On (SSO)?

It seems to me that you’re looking at equal amounts of effort in either case to distribute passwords via Sync or setup an SSO solution.  SSO provides a much better degree of security since even a password gets hacked, you’re not getting the keys to the kingdom.

What makes this even more worrisome is that given the way Password Sync works, some systems are easier to hack than others, simply work on the repository that has the easiest policy.  Invariably this is a mainframe or legacy app that won’t accept mixed case, special or numeric characters. Even a long password’s benefits are rendered moot in these circumstances.