I’ll always say I like lists. C-levels like lists, average people like lists, techies need to like lists. 🙂 Over at ZDNetAsia, Scott Montgomery, global vice president for product
management at Secure Computing, gave his take on 4 damaging security habits in the corporate world. Here are my responses/takes. Overall, I like this succinct list, and with minor quibbles, it’s a good list.
1. Fixed Passwords – Fixed passwords, in my mind, are adequate. They aren’t the best practice and best thing to use, but they are still by far the most economical for most corporations and people. We know passwords, we’re used to them, and they tend to be just fine when properly complex and rotated. If one-time passwords were so useful, why are they so difficult to roll out or scale up to our needs? They are because you need a lot of levers and gears aligned in a corporate environment to be able to effectively implement such solutions. No single-sign-on possibility in your shop? Then one-time password tokens are not yet for you.
2. Neglecting inbound threats from e-mail, the Web and instant messaging – Montgomery gets this one correct, and not much I can add to it other than nitpicking about the term “threat” used for an attack vector.
3. Forgetting that data traffic is two-way – I think this is another good point, although I think we can all admit trying to get our arms around egress is like trying to hold down a very large bear or herd cats. I think that is a major reason so many of us are behind here: we have other easier things to tackle. But certainly, we should keep this in mind. But always think about this: how do you stop me from uploading data to a web server that I own? How do you stop me from uploading data through an encrypted channel on port 80 outbound? These are difficult to stop in many shops, without spending some good money on solutions. Hence…they do get left behind.
4. Not encrypting data – I don’t like bashing lack of encryption by using email as an example. Sadly, SMTP is broken and obsolete, but like the SSN, it is so widely used and relied upon… He also dives very deeply into the FUD by saying unencrypted mail is public like a paper. No, it’s not, but he still brings up a good point. Encryption should be used whenever possible on the wire, and on the disk. We’ll only slowly move in this direction due to compatibility issues.
Hey LV!
Some of these touch existing FAIR studies we draw from and I thought I’d mention some of our findings:
1.) Depends on the situation, but for the most part there is little risk reduction in hyper-complex password schema. Some things, (like phishing) do benefit, but only because of the significance of other risk factors (like Threat Event Frequency, in the case of phishing).
2.) The cost/benefit of controls for those threats these days are so low that it’s rarely an issue to justify them from a risk analysis standpoint.
3.) The capability to perform threat actions exactly as you propose create a difficult circumstance. Risk analysis shows that this is (for the most part) a rather low risk proposition – but it is what we call a *fragile* risk condition. Fragile risk conditions arise when risk is “low” do to a low frequency of threat events, but the absence of controls means that an uptick in frequency of Threat Events will result in a (mostly proportional) increase in the number of loss events.
4.) Various Risk Studies show the value of encrypting data at rest (esp. in this day of mandatory disclosures). However the interception of email in transit is a very low risk proposition.
All good points! I think the thing I like the most about your blog and your comments is that you use the terms of the trade all the time. For people like me who find them a bit hard to grasp, we realize that only with time and extended exposure will we truly get it and be able to also use those terms. Thank you! 🙂