a bunch of great sec lessons from tripwire

I love me lists, and Tripwire dug deep to drop out a list of 25 things:* “25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them”.

(* I say things because that title sucks. It’s too long for Twitter use, so it gets shortened and passed around as various other juicier-sounding things, but is still a fun read. Likewise, you’ll get halfway through the list and forget what the point was; are these myths? truths? just anecdotes? did this just get too long?)

This is a huge list and not everything is worth reconsidering, but I wanted to highlight a few things more things than I anticipated, probably because there are good lessons through the whole list. Some of these lessons could be a whole book chapter in themselves.

1: I got no errors so I’m sure the backup is valid – Test and verify. You’re taking backups? Are you sure? And do you know for sure you can restore them when you need to? Having backups is probably the most important security *and* operations function, and verifying the process works shouldn’t be done when the emergency hits. (I really, really hate when “outages” are excuses to call them half-assed [and usually woefully incomplete] disaster recovery/business continuity tests just because someone is averse to talking to the business about the interruption/work that occurs during the real test.)

2: Do you really need everyone to wish you “Happy Birthday?” – I actually think I uttered an audible, “wow” when I read this. It just bears highlighting in itself.

4: Yes, a UFO is an unidentified flying object, but it’s probably an alien – Great point, yet strange enough for someone with an ear to security, I’m usually the last to assume some form of strangeness is a hack attack. I guess I’ve seen way too many “strange” things turn out to be explained via completely innocent means (or unexplained, non-security events). As I like to say about law enforcement approaches: the simplest answer is usually the correct one.

5: I don’t care. I work in information security, not physical security – I simply like the reminder that, well, fucked up shit happens in the physical world, and you really can’t predict it.

7: Let’s get the bad guys…all the bad guys – I’m not sure I liked this item; I had to read it several times and still am not sure I follow it or agree with it. I think maybe the bullet title is just awful since it doesn’t match the anecdote. Still, even small things can be a problem, as I think a few other bullet points make mention of, but yes we should prioritze and we can’t get to everything all at once.

10: We only offer secure access to our system, unless you want to use our test machine – I have to quote Wysopal because he’s right. Read another way: least-fricken-privilege. This is one of the more common issues, imo, in business: people do and get away with whatever they *can* do or get away with.

“The lesson here is not to give your users a less secure way to get something done or they will pick it and be compromised,” said Wysopal.

11: This system was secure when I bought it – As I move further into my career, I realize the hardest long-term problem I’ll face is likely just keeping up with changing technology. I’m just one job and a few years away from being grossly behind, ya know? I’m thankful I work in a progressive organization right now where we have many advanced tools and a mature IT budget and culture, but getting behind always scares me. Hell, I’m already behind on the desktop side, as I’m nowhere near as proficient at Windows Vista/7/2008 as I am everything older.

13: We’ll make it a security policy and everyone will follow it – I love both his points in this bullet: monitor (verify) and even educate your clients. For the latter, right now I’m actually having to defend an SSL certificate on a website that passes internal credentials and sensitive data to a client who doesn’t want to spend the money to purchase one. If a client asks, the account managers and salespeople aren’t going to say no! Normally I just do this, but more and more, larger corps are keeping tighter control of domain ownership…

14: Hurry up, we need to fix this problem right now! – Slow down and do it right. In the past 6 months we’ve had it pretty rough on my team, with lots of strange outages both self-inflicted or completely out of our control. I really dislike how, during an outage, a huge rush and pressure is put on to find creative ways to get things half up again. This often brings with it new challenges, issues, orphaned changes, and risk, and sometimes causes more problems than it fixes. If you have a plan, stick to it. Don’t create new plans during an issue unless you absolutely have to. And if you do, relax, think about it, and work smarter rather than faster. (Really, this cuts both ways and gets back to value/business needs, but my more recent experiences are reflected in this opinion.)

15: Yeah sure, the USB key is secure – Just a great anecdote to drive home that bad things happen and people are ultimately a constant problem.

18: I’ll just dictate security and it’ll work – I think dictating security *does* work, but not when you’re just dictating policy or procedures; only when you’re backing it up with technological controls to enforce it.

19: People are usually very thorough when filling out survey forms – I cringe. I know Bob fills out security questionnaires from prospective clients. Bob barely knows what he’s filling out. Bob also knows prospective clients barely look at the results anyway. Ultimately, what someone claims is somewhat meaningless without verifying it. I think that rings true in several of these bullets.

20: All vulnerabilities take priority over the business – Ahh, this rings of both truth I agree with, but also some of the more intense frustrating feelings that I disagree with. I think this is where you’re on the bar of a seesaw that can’t fully dip down on one side or the other. It’s hard to read this without feeling that hot/cold duality, to both agree with Gene and disagree. Honestly, I think that’s a healthy reaction to this…

21: Eventually, when I have time, I’ll encrypt that hard drive – Just another great anecdote, especially to higher-ups, that shit sometimes just happens. And when it does, it doesn’t smell like roses like ya think…

22: No one is going to screw with my unattended computer in the office – We do this in my team, and it drives home the point quite nicely. I prefer to email their immediate manager, “I’d like a pay decrease. Thanks!”

24: Wow, a cool new untested security product! – The real point in this, to me, is that you can’t just throw something out there in the name of security and expect it to just be unattended. I agree you should test, but you could spend a year testing something like an IPS, put it in, and still have a strange problem. You need to accept that security is an ever-moving balance between blocking things and allowing things, on an ever-moving landscape. It’s like balancing on a pylon from a broken dock in the beating surf.