Locking your door in 2004
Teach your users to think as you do
Opinion I've never been a big believer in "New Year's Resolutions." I figure if you're going to resolve to do something (or not do something) waiting for a new year to is really just an excuse to procrastinate, writes SecurityFocus columnist Tim Mullen.
But when I look back over the last year and consider some of the security issues we faced, I think that a few resolutions for this new year may just be appropriate: not only to keep us from making the same mistakes over again, but maybe to expand our sphere of influence and do the same for those around us as well. To many, these suggestions may seem obvious and even common -- however, the events of 2003 show us that they are not being adopted.
When deploying services, resolve to think about security in depth.
We really need to work on this often-repeated but seldom-exercised security postulate. The thought process involved in providing services to an untrusted network should not end at publishing the service -- that is really only the beginning. One must also design other layers of security around the service: Firewall configurations, OS hardening, application filters, perimeter networks, etc. Only when a plan contains other measures of securing the service, measures in depth, does that plan begin to offer more robust security. Resolve to do so.
Envision the future, but secure the present.
I draw a fair amount of criticism for my typical "pro-Microsoft" opinions. There are those who think I'm obtuse for not seeing how the software "should" be, or not realizing the benefits of other operating systems or development models. That is not the case-- I'm just being a realist. While security professionals must always think towards the future and look to build a more secure tomorrow, we must also accept how things are today.
While we may all agree that any installation of a Microsoft product should be safe to deploy to the Internet right out of the box, that is just not the case today. We all know this-- so take responsibility for it. Learn to harden your installations. Learn to configure services for least privilege. Learn to use the tools you have to secure your systems. Don't let your lust for the future keep you from your present duty of diligence. Resolve to do so.
Don't just tell your users what to do, but get them to think the way you think.
Many administrators don't give their users the time of day; that's what NTP is for. But when it comes to security, most issues manifest themselves at the user level: opening attachments; using weak passwords; installing spywear; sharing sensitive information -- you know, general "shoot them in the head" stuff. To combat this, we normally just tell them what to do and what not to do without giving them much of anything else to go on.
I'm as guilty of this as anyone -- I normally do not go into too much detail as, to be honest, I just don't think they'll understand. But I think that ultimately does them a disservice, just like when parents respond to a child's "why?" with "because I told you so." I very well may regret saying this, but I think we should spend more time helping our users to better understand the "why" behind our requests if we are to expect them to really follow directions. Take time to share your thought process with your users when it comes to security. Try to get them to not only understand the ramifications of their actions, but to think about security in their everyday lives. Send out a monthly newsletter. Buy them "Beyond Fear." Spotlight and share success stories.
Ultimately, when the actions of a user cause the system to fail, it is our failure too. Let's try to bring our users to the next level by actually changing the way they think about security. We'll all be better off. Resolve to do so.
Explore new ways of reaching more people.
For the most part, the readers of this column are not the ones who need to know of its content. Most of the people who would derive the greatest benefit from discussions in security are not even in the loop. Normally, we wait for those who are interested to come to us (and then bash them as newbies), but I think this needs to change given today's Internet. We need to look outside of the "normal channels" used to convey security information.
For the last several years, every computer I have purchased has a nifty little pamphlet explaining how to use the keyboard so that I don't get Carpal Tunnel Syndrome, yet nothing tells me not to turn on File and Print Sharing, or not to install SQL Server on Internet facing machines. This has got to change. Maybe we should all have "ABC's of Security" sections on our websites. Maybe Dell should include a free "Guidelines to Security" booklet with every purchase of a new machine.
There are three groups of people out there:
2. Those who don't know what they are doing but are at least aware of the fact that they don't know.
3. Those who don't know what they are doing, and have no clue that they don't know.
The third group is the most dangerous, and the one we need to reach. I'm not sure exactly how to go about it, but we should all try to think of new ways to reach these people for their sake and ours. Resolve to do so.
May you all have a prosperous and secure 2004.
Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.