Locking your door in 2004

Teach your users to think as you do

  • alert
  • submit to reddit

Top three mobile application threats

Opinion I've never been a big believer in "New Year's Resolutions." I figure if you're going to resolve to do something (or not do something) waiting for a new year to is really just an excuse to procrastinate, writes SecurityFocus columnist Tim Mullen.

But when I look back over the last year and consider some of the security issues we faced, I think that a few resolutions for this new year may just be appropriate: not only to keep us from making the same mistakes over again, but maybe to expand our sphere of influence and do the same for those around us as well. To many, these suggestions may seem obvious and even common -- however, the events of 2003 show us that they are not being adopted.

When deploying services, resolve to think about security in depth.

We really need to work on this often-repeated but seldom-exercised security postulate. The thought process involved in providing services to an untrusted network should not end at publishing the service -- that is really only the beginning. One must also design other layers of security around the service: Firewall configurations, OS hardening, application filters, perimeter networks, etc. Only when a plan contains other measures of securing the service, measures in depth, does that plan begin to offer more robust security. Resolve to do so.

Envision the future, but secure the present.

I draw a fair amount of criticism for my typical "pro-Microsoft" opinions. There are those who think I'm obtuse for not seeing how the software "should" be, or not realizing the benefits of other operating systems or development models. That is not the case-- I'm just being a realist. While security professionals must always think towards the future and look to build a more secure tomorrow, we must also accept how things are today.

While we may all agree that any installation of a Microsoft product should be safe to deploy to the Internet right out of the box, that is just not the case today. We all know this-- so take responsibility for it. Learn to harden your installations. Learn to configure services for least privilege. Learn to use the tools you have to secure your systems. Don't let your lust for the future keep you from your present duty of diligence. Resolve to do so.

Don't just tell your users what to do, but get them to think the way you think.

Many administrators don't give their users the time of day; that's what NTP is for. But when it comes to security, most issues manifest themselves at the user level: opening attachments; using weak passwords; installing spywear; sharing sensitive information -- you know, general "shoot them in the head" stuff. To combat this, we normally just tell them what to do and what not to do without giving them much of anything else to go on.

I'm as guilty of this as anyone -- I normally do not go into too much detail as, to be honest, I just don't think they'll understand. But I think that ultimately does them a disservice, just like when parents respond to a child's "why?" with "because I told you so." I very well may regret saying this, but I think we should spend more time helping our users to better understand the "why" behind our requests if we are to expect them to really follow directions. Take time to share your thought process with your users when it comes to security. Try to get them to not only understand the ramifications of their actions, but to think about security in their everyday lives. Send out a monthly newsletter. Buy them "Beyond Fear." Spotlight and share success stories.

Ultimately, when the actions of a user cause the system to fail, it is our failure too. Let's try to bring our users to the next level by actually changing the way they think about security. We'll all be better off. Resolve to do so.

Explore new ways of reaching more people.

For the most part, the readers of this column are not the ones who need to know of its content. Most of the people who would derive the greatest benefit from discussions in security are not even in the loop. Normally, we wait for those who are interested to come to us (and then bash them as newbies), but I think this needs to change given today's Internet. We need to look outside of the "normal channels" used to convey security information.

For the last several years, every computer I have purchased has a nifty little pamphlet explaining how to use the keyboard so that I don't get Carpal Tunnel Syndrome, yet nothing tells me not to turn on File and Print Sharing, or not to install SQL Server on Internet facing machines. This has got to change. Maybe we should all have "ABC's of Security" sections on our websites. Maybe Dell should include a free "Guidelines to Security" booklet with every purchase of a new machine.

There are three groups of people out there:

1. Those who know what they are doing
2. Those who don't know what they are doing but are at least aware of the fact that they don't know.
3. Those who don't know what they are doing, and have no clue that they don't know.

The third group is the most dangerous, and the one we need to reach. I'm not sure exactly how to go about it, but we should all try to think of new ways to reach these people for their sake and ours. Resolve to do so.

May you all have a prosperous and secure 2004.

Copyright © 2004, SecurityFocus logo

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.