incomplete thoughts: 5 of my security pet peeves

This is my getting rid of some incomplete thoughts sitting around in my unpublished bucket. This post could be 3 years old or it could be 3 weeks old, I’m not sure. Peeve #4 is a bit of a reality, and I’m not sure I would today include that in here if I rewrote this today. The ending example goes nowhere, and #5 isn’t finished. Either way, just getting this off my chest and published.

5 of my IT security pet peeves. Notice that these are not necessarily technical issues. I don’t feel like our biggest challenges are technical in nature. And while I might call these pet peeves, they don’t necessarily frustrate me nearly as much as most of my driving pet peeves.

1. No Big Box Tool beats a good admin, but we’re obsessed with the Big Box Tools. I’m not a big fan of all-in-one-boxes or UTM or centralized SOC-in-a-BOX. On one hand, I really like the power that tools have been getting in terms of analyzing and collecting data in one place. Sadly, I don’t think any single box performs better than other smaller tools being used wisely by a crafty admin to achieve the same goals. There is a certain watering down (each piece is lower quality compared to specialized tools) and dumbing down (take the analyst away from the guts long enough and he’ll only know how to work the GUI and not dig deeper manually) and feature-bloat (try to pack every option that 10,000 companies will use but no company uses half of them at once) to big boxes that simply cost in terms of quality. The real key here is whether you have a crafty admin with the time necessary to wisely wield those surgical tools. Instead, we too often take the quality hit to save some money…

2. Not enough time. In our American culture, we have this obsession with milking productivity from our workers. We demonize leisure time, personal time, even vacations; maybe not openly, but we insinuate that anything less than 100% is bad. This trickles down into IT staff who have little free time to improve their situation beyond rushing from one fire to the next, or one project to the next. You know you’re in this situation if you’re doing task A, notice that issue X is occuring just because you happen to see it, but know you won’t ever get to it and so just leave it. Security cannot be improved when time is booked. Either you don’t have the time to properly tune tools, investigate alerts (we’ve all had days where 1 alert takes 1 hour and days where 1000 alerts takes 5 minutes), do simple audits to verify security, or keep on top of current news. Let alone the mistakes that will be made due to the pressured time-boxing… You want to improve security? Improve the time your staff has to find and make enhancements. Anything else just means everyone relies on the audits and only does what is prescribed at the time. (This also means your staff needs to be enthused about security, and not just use their extra time to surf YouTube. If you don’t have enthused staff, then replace this item with : People who don’t hire enthused staff!)

3. Too many people still believe ignorance (or ignoring it) is an effective security strategy. I’m borrowing this straight from the article I just posted about earlier, because I think it is an epidemic (pandemic) problem. That noise coming from your engine? Yeah, it’ll go away, right? It wouldn’t happen to us! I think ignorance and human habits of ignoring problems is a real issue. I understand that some risks are accepted and not every problem absolutely needs resources pushed at it to solve it, but collectively we’re sucking with even the basics of digital security. (I think most organizations scope-limit their auditors from half the stuff that is wrong.)

4. Convenience trumps security, or, security is never as easy as it sounds. There are a few tasks that sound easy but illustrate exactly how time-consuming really managing security is: data classification company-wide, account oversight and review, file server permissions audits, knowing exactly what data is where (yay laptops!), log reviews, and change management. Convenience trumping security is a more appropriate way of saying functionality over security.

5. We want security now, for free, and to last for years without further inputs. How many PCI projects have we collectively seen that have deadlines? And after that deadline, PCI (or security) is considered done and the consultants/contractors let go). That’s a win for sure!

Just to juxtapose a few items from above, here is one scenario. You have a not-very-technically-proficient security admin in your company. He’s not given the most access, probably not enough to do this job effectively. He doesn’t have the ability to implement proper NSM without the techs making his requests bottom-of-the-barrel priority. In fact, he doesn’t have much more than the ability to get an All-In-One-Security-Box. Likewise, said security box doesn’t give him much data for an alert. Oh, and by the way, he’s an important admin who talks with execs every few weeks with some certs under his belt, so he feels he gets paid more than someone who does the grunge work like reviewing logs, accounts, or testing those firewall changes. So no one really checks that stuff. When audited, the admin knows just enough to give the auditor enough for a report, keep him away from the things he knows suck, but not enough to allow the auditor to expose underlying issues.