I’ll always say I like lists. C-levels like lists, average people like lists, techies need to like lists. 🙂 Over at ZDNetAsia, Scott Montgomery, global vice president for product
management at Secure Computing, gave his take on 4 damaging security habits in the corporate world. Here are my responses/takes. Overall, I like this succinct list, and with minor quibbles, it’s a good list.
1. Fixed Passwords – Fixed passwords, in my mind, are adequate. They aren’t the best practice and best thing to use, but they are still by far the most economical for most corporations and people. We know passwords, we’re used to them, and they tend to be just fine when properly complex and rotated. If one-time passwords were so useful, why are they so difficult to roll out or scale up to our needs? They are because you need a lot of levers and gears aligned in a corporate environment to be able to effectively implement such solutions. No single-sign-on possibility in your shop? Then one-time password tokens are not yet for you.
2. Neglecting inbound threats from e-mail, the Web and instant messaging – Montgomery gets this one correct, and not much I can add to it other than nitpicking about the term “threat” used for an attack vector.
3. Forgetting that data traffic is two-way – I think this is another good point, although I think we can all admit trying to get our arms around egress is like trying to hold down a very large bear or herd cats. I think that is a major reason so many of us are behind here: we have other easier things to tackle. But certainly, we should keep this in mind. But always think about this: how do you stop me from uploading data to a web server that I own? How do you stop me from uploading data through an encrypted channel on port 80 outbound? These are difficult to stop in many shops, without spending some good money on solutions. Hence…they do get left behind.
4. Not encrypting data – I don’t like bashing lack of encryption by using email as an example. Sadly, SMTP is broken and obsolete, but like the SSN, it is so widely used and relied upon… He also dives very deeply into the FUD by saying unencrypted mail is public like a paper. No, it’s not, but he still brings up a good point. Encryption should be used whenever possible on the wire, and on the disk. We’ll only slowly move in this direction due to compatibility issues.