INFOSEC:BLUE
Solid answers to
difficult questions, often
in humorous form.

So You Think Information Security is Sexy?
30 October 2014, by OFH

A lot of people are interested in information security, and the number is growing. Maybe this is inspired by news stories of breaches or thefts of credit card data. Maybe it's because we find spies and terrorists who break in to government, banking, technology, and industrial systems. Or maybe it's because, deep in the recesses of our dreams, we really want to do all that. Whatever the reason, information security has shifted from a topic of concern that's dismissed to being a topic that big sectors of the population are worried about. Sooner or later, everyone has to address their own information security, whether it's preventive or reactive.

Business really likes information security, too. It used to be relegated to the lawyers and insurance people, who protected intellectual propery and peoples' private information. Those things are still going on, but now we have executives asking about hackers and criminals and IT departments everywhere are jumping in with both feet to buy whatever new gee-whiz-bang security doodad comes out. Vice presidents are also asking a lot of questions about compliance, which information security investments support, because (for maybe the first time in history) they can go to jail because of something that happens with a machine they have no direct control over. Seems vice presidents are willing to spend a lot of shareholder money to stay out of jail. Oh, yeah, and to do the right thing.

So what really is the right thing? Do we need ultra-hardened firewalls and umteen-gorillion-bit crypto? Maybe some artificial intelligence to monitor the network and spot sketchy traffic patterns? Keystroke loggers and forensic tools to watch every employee so we know they aren't stealing resources?

Mmmmmmmaybeeeeeeee... Eventually.

All that stuff is sexy, no question about it, and (I'll be the first to admit) it's a lot of fun to play with. It also tends to be really expensive, even beyond the initial capital outlay for software and hardware to run it on. These things all need care and feeding, and they don't do it themselves. If you have "an IT guy," expecting him to run all this will only guarantee that your return on security investment (ROSI) will be a loss, and it may not just be limited to the expense. Lost opportunities to deal with business while "the IT guy" is busy maintaining all this stuff can run into real money pretty quickly. If all this non-core technology breaks your enterprise, direct losses to the business can be catastrophic.

Everybody wants to be a gangsta until it's time to do gangsta stuff.

Security technology requires some specific supervision. In addition to the initial capital costs, you'll be needing to hire someone- or someones- to run it independently of the regular IT shop. You'll also need to buy support for the products so you continue to get patches and updates. Somtimes there will be integration issues that you'll need to bring the vendor in to help you resolve it. And on top of this, security investments (like all other IT investments) are usually depreciated over 5 years, according to GAAP rules. And because many security products require subscriptions to data feeds to keep running, stopping maintenance often makes the asset stop working, instantly bringing it's present value to zero.

Not a good story to tell investors and shareholders.

So what to do? It turns out that information security tends to fall into a couple of categories. I like to think of them as "basics" and "edge-cases." The basics include normal administrative stuff and a little common discipline. The basics are the simple stuff like:

Keeping your systems patched and versions supported by the vendor; The vast majority of exploitable vulnerabilities are caused by things that have been patched for some time.

Enforcing "least privilege" is very important; bad things happen- often accidentally- when everyone in the enterprise has super-user or admin privileges.

Removing and turning off unnecesasry stuff is a big one, too; a lot of intruders (including viruses and malware) exploit services on servers and network equipment that people don't realize are even turned on. In most cases they go unused and are enabled by default.

Keeping regular backups; this can prevent losses of intellectual property and business records, and can help you get your business back up and running if there's a catastrophe.

Running a paid antivirus product; technology is available now that lets your antivirus run without bogging your system down and, really, you can afford to buy hardware that runs well with AV turned on. You buy work vehicles with brakes and airbags, don't you? Why should your computers be any different?

Encourage your people to do the right thing; this is surprisingly absent in a lot of enterprises, and it's part of any good risk management practice no matter the size. People are willing to do the right thing if they know that it's more important and more valuable than being fast. Show your appreciation for the right thing even if it's late.

These basics cover huge areas of common vulnerabilities which just happen to be first thing bad guys like try. I mean, nobody would start to pick a lock without trying the doorknob first. After the basics are handled, you'll have a better idea of where your threats are, and you'll be able to more deliberately deal with the things that can actually cause losses, and you'll be able to spend money on what you actually need instead of hemoraging cash on tools that waste your time.

So, yeah, these things aren't really very sexy, but they're very reliable at giving a great return on a very low-cost security investment. Ask anyone that's been married for a long time. Exciting can be fun. But reliable? Now that's sexy. If you're still single and you're questioning the truth in this, try it and stick with it. You'll get it.

If you're lucky.

"Full pardon, but I follow up the quest, despite of day and night and death and Hell."
-Tenyson