McGovern’s “Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security”
James McGovern over at the Enterprise Architect blog wrote a really fantastic Letterman’s Top 10 of mistakes that CIO’s make regarding enterprise security. I’ve listed his in its entirety below and added a couple mineself… š
Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi and ITIL while not understanding the fact that hackers attack software. Ostritch Principle:
Since you were so busy aligning with the business which really means
that you are neither a real IT professional nor business professional,
you have spent much of your time perfecting memorization of cliche
phrases and nomenclature and hoping that the problem will go away if
you ignore it.Putting network engineers in charge of security:
When will you learn that folks with a network background can’t possibly
make your enterprise secure. If a hacker attacks software and steals
data yet you respond with hardware, whom do you really think is going
to win the battle.Over Rely on your vendors by relabelling them as partners:
You trust your software vendors and outsourcing firms so much that you
won’t even perform due diligence on their staff to understand whether
they have actually received one iota of trainingRely primarily on a firewall and antivirus:
Here is a revelation. Firewalls are not security devices, they are more
for network hygiene. Ever consider that a firewall can’t possibly stop
attacks related to cross site scripting, SQL injection and so on.
Network devices only protect the network and can’t do much nowadays to
protect applications.Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly Thinking that security is expensive while also thinking that CMMi isn’t: Why do you continue to fail to realize how much money their information and organizational reputations are worth. The only thing you need is an insulting firm to provide you with a strategy:
Fail to deal with the operational aspects of security: make a few fixes
and then not allow the follow through necessary to ensure the problems
stay fixedGetting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA:
Failing to understand the relationship of information security to the
business problem — they understand physical security but do not see
the consequences of poor information security. Let’s be honest, your
SOA is all about integration as you aren’t smart enough to do anything
else.Put people in roles and give them titles, but don’t actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
Here are some of my favorites that I’ve added. I’ll work on adding the expanded explanations later:
- Keep talking about threats and vulnerabilities and not about risk
- Manage your security investments like throw-away CapEx cornflakes and not as a portfolio
- Maintain that security is a technology issue
- Awareness initiatives are good for sexual harassment and copier training, not security
- Security is top secret, we can’t talk about what we do
- All we need to do is invest just enough to be compliant, we don’t need to be secure
- We can’t measure security effectiveness
- Virtualization changes nothing in the security space.
- We’ve built our three year security strategy and we’re aligned to the business
- One audit a year from a trusted third party indicates our commitment to security
Got any more?
/Hoff
Categories: General Rants & Raves, Information Security
"Manage your security investments like throw-away CapEx cornflakes and not as a portfolio"
Nice!
Tactical decision: Try to use MS SMS/SUS as an enterprise patch management solution…when most of the important Apps never get patched or the really important DB server sits on a non-Windows OS!…All because its FREE!
It was like you were drunk at a party
Simon Cowell just said that to someone on American Idol and it made me laugh. I hope it caused you to keep reading.
Rational Survivability has a couple of good things posted in the last day or two. The first one is about not following security harden…
Here's my favourite:
"Security is an IT issue, therefore, why do we need any security folks outside of IT?"
or
"Security? IT deal with that…"
Like, duh…?
Customers don't care about security only features.
If it's encrypted then it is secure.
"We trust our employees"
what is the fix to your #4? You can only stick so many technical barriers in place to prevent your users from opening and clicking on emails they shouldnt. why does it seem like the whole industry is saying that users cannot be trained?
btw, good to meet you at shmoocon.
-CG
Re: CG's comments.
If you are running an operating system/mail client environment that is susceptible to attacks launched by users clicking on attachments — which they have done without letup since there have been attachments to click on and GUI mail clients that permit them to click, and which they will continue to do no matter what you or I or anyone else ever tells them — then your software environment is broken. Fix it.
Part of that fix, if you're not willing to upgrade to superior operating system/mail client software that is immune to this rudimentary problem, might consist of configuring your mail servers to disallow all attachments by default and only permit those for which there is a business need. This is by no means a panacea — fixing/replacing the broken software is clearly a far better idea — but it can at least partially mitigate the problem, and it's certainly much better than permitting all attachment types by default.
As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work…it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.
Keep talking about threats and vulnerabilities and not about risk
You're spot on with this one. Why am I being asked to investigate the recent hard disk encryption 'put the RAM on ice' crack when I should be focusing on the 1000+ printers in my enterprise that have no admin passwords set?
To Rich Kulawiec – completely disagree. Of course you're not going to get through to everyone, but if you get through to maybe 80-90% then that's an awful lot of attacks you've prevented, with actually very little effort. The reason I think it hasn't worked yet is because people are not doing it effectively, or that they'll 'get around to it' once the CEO has signed off all the important projects, the ones that mean the IT Security team get to play with cool new toys.
Just a quick question about "Putting network engineers in charge of security". Ok, this sounds smart at the surface as hackers do attack software and misconfigurations. Please explain to me what a programmer is going to do to secure an operational network? {silence}
Security is about three items: prevention, detection, and reaction. Each of the three is just as important and I would put forth that security expertise is more important in the latter two. Focusing on only on prevention is a pipe dream. Now given that in a security skill set detection and reaction are more important who has the better skill set: a programmer or a seasoned security expert who has a background in network engineering and sys administration?
I for one have all three and I can tell you that programming helps me do my job better but in the real world source code is not available and cannot be modified. So once again how is a programmer effective?
The biggest problem I see these days is not this old and tired argument over who is more adept to what environment. The problem is that security is a specialization, not a trade. to over simplify: A programmer specializes in software security, a network engineer specializes in network security, a sys admin specializes in server security. The biggest problem is this: Please stop training secretaries and plumbers with the ComTia Security+ program and call them "security experts". My mantra (repeat as many times as necessary): "Security is a specialization for seasoned professionals, not a trade to be taught to the neophyte."
I can also point out that in my years of investigating incidents I have yet to see a "hack" call out and say "I have been hacked". Usually there is something that just does not look right, what I call a data point of interest. I can also say that I rely heavily on my network knowledge to determine if a system or network has been compromised.
I would also point out that most security incidents involve people who are internal and are usually not very technical. One of my recent investigations ended up bringing a VP's teenage kid into the spotlight. Most incidents involve the misuse of information, not some foreign or organized crime hacker penetrating the network (as much as we look forward to and enjoy that challenge).
As far as security in general goes the mantra should be "devalue information and limit transactions!" not "Build more walls and controls!!!"… How well have castle walls endured through time? A new wall and/or defensive capability is developed and using technology a way to defeat that defense is developed over 50 years. Ok, 50 years back then technologically is equivalent to about 5 minutes now. Again, how well do castle walls and defensive controls work as an end-all be-all? I suppose this is a conversation for another time?!!!!
I do have one more comment. Yes I know I am wordy though this is kind of funny in a sadistic way. I disagree with you on the following point:
"4. Awareness initiatives are good for sexual harassment and copier training, not security"
IMHO awareness training is a great place to spread rumors about the Godlike abilities of the Security team thus putting the fear of God into the users which in turn cuts down on the stupidity and thus cuts down on the wastefull investigations.
Posted by: Rich Kulawiec
Re: CG's comments.
If you are running an operating system/mail client environment that is susceptible to attacks launched by users clicking on attachments — which they have done without letup since there have been attachments to click on and GUI mail clients that permit them to click, and which they will continue to do no matter what you or I or anyone else ever tells them — then your software environment is broken. Fix it.
**I guess i'm ignorant, what magical OS and mail system do you propose that allows the functionality that most people have come to expect from a Windows environment?
Part of that fix, if you're not willing to upgrade to superior operating system/mail client software that is immune to this rudimentary problem, might consist of configuring your mail servers to disallow all attachments by default and only permit those for which there is a business need.
**how do I determine for a large organization what is a business need for each individual? what happens when i guess incorrectly? how doest that scale? realistically how do you propose that is done? again in a Windows environment how do you suddenly say you cant email your powerpoint, excel, and word or pdf documents? or do I allow those even though i can trojanize those?
This is by no means a panacea — fixing/replacing the broken software is clearly a far better idea — but it can at least partially mitigate the problem, and it's certainly much better than permitting all attachment types by default.
**what if the malware comes through in normal MS office documents?? do i strip all of those out by default?
As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work…it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.
**I don't know Marcus, but some of that list is pure garbage, especially #4. But back to #5, are you proposing i wait for the next generation of people who are going to magically become better educated without any training to come and fill those seats of user's now? that's just fucking stupid. If users can never be fixed"if it was going to work, it would have worked by now" then why havent we developed a technical solution that works yet? Oh yes, its because the code is broken too, and the fix for that is writing secure code from the start…i'm still waiting for my "securely coded" application to replace everything else that is already in place.
"A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server…"
and what if the malware comes in via files I allow? what now? A good example would have been the adobe mailto exploit that just came out (now patched). how would your solution have stood up to that? I shouldnt allow pdf's in?
what about when i am stripping out attachments from the CEO or some other high level person that doesnt care about security who just needs to get work done. I guess if you have a network of computer literate people those types of solutions become viable. for the rest of us not working in fantasy land, those suggestions are just crap.