Locking your door in 2004

Teach your users to think as you do

  • alert
  • submit to reddit

High performance access to file storage

Opinion I've never been a big believer in "New Year's Resolutions." I figure if you're going to resolve to do something (or not do something) waiting for a new year to is really just an excuse to procrastinate, writes SecurityFocus columnist Tim Mullen.

But when I look back over the last year and consider some of the security issues we faced, I think that a few resolutions for this new year may just be appropriate: not only to keep us from making the same mistakes over again, but maybe to expand our sphere of influence and do the same for those around us as well. To many, these suggestions may seem obvious and even common -- however, the events of 2003 show us that they are not being adopted.

When deploying services, resolve to think about security in depth.

We really need to work on this often-repeated but seldom-exercised security postulate. The thought process involved in providing services to an untrusted network should not end at publishing the service -- that is really only the beginning. One must also design other layers of security around the service: Firewall configurations, OS hardening, application filters, perimeter networks, etc. Only when a plan contains other measures of securing the service, measures in depth, does that plan begin to offer more robust security. Resolve to do so.

Envision the future, but secure the present.

I draw a fair amount of criticism for my typical "pro-Microsoft" opinions. There are those who think I'm obtuse for not seeing how the software "should" be, or not realizing the benefits of other operating systems or development models. That is not the case-- I'm just being a realist. While security professionals must always think towards the future and look to build a more secure tomorrow, we must also accept how things are today.

While we may all agree that any installation of a Microsoft product should be safe to deploy to the Internet right out of the box, that is just not the case today. We all know this-- so take responsibility for it. Learn to harden your installations. Learn to configure services for least privilege. Learn to use the tools you have to secure your systems. Don't let your lust for the future keep you from your present duty of diligence. Resolve to do so.

Don't just tell your users what to do, but get them to think the way you think.

Many administrators don't give their users the time of day; that's what NTP is for. But when it comes to security, most issues manifest themselves at the user level: opening attachments; using weak passwords; installing spywear; sharing sensitive information -- you know, general "shoot them in the head" stuff. To combat this, we normally just tell them what to do and what not to do without giving them much of anything else to go on.

I'm as guilty of this as anyone -- I normally do not go into too much detail as, to be honest, I just don't think they'll understand. But I think that ultimately does them a disservice, just like when parents respond to a child's "why?" with "because I told you so." I very well may regret saying this, but I think we should spend more time helping our users to better understand the "why" behind our requests if we are to expect them to really follow directions. Take time to share your thought process with your users when it comes to security. Try to get them to not only understand the ramifications of their actions, but to think about security in their everyday lives. Send out a monthly newsletter. Buy them "Beyond Fear." Spotlight and share success stories.

Ultimately, when the actions of a user cause the system to fail, it is our failure too. Let's try to bring our users to the next level by actually changing the way they think about security. We'll all be better off. Resolve to do so.

Explore new ways of reaching more people.

For the most part, the readers of this column are not the ones who need to know of its content. Most of the people who would derive the greatest benefit from discussions in security are not even in the loop. Normally, we wait for those who are interested to come to us (and then bash them as newbies), but I think this needs to change given today's Internet. We need to look outside of the "normal channels" used to convey security information.

For the last several years, every computer I have purchased has a nifty little pamphlet explaining how to use the keyboard so that I don't get Carpal Tunnel Syndrome, yet nothing tells me not to turn on File and Print Sharing, or not to install SQL Server on Internet facing machines. This has got to change. Maybe we should all have "ABC's of Security" sections on our websites. Maybe Dell should include a free "Guidelines to Security" booklet with every purchase of a new machine.

There are three groups of people out there:

1. Those who know what they are doing
2. Those who don't know what they are doing but are at least aware of the fact that they don't know.
3. Those who don't know what they are doing, and have no clue that they don't know.

The third group is the most dangerous, and the one we need to reach. I'm not sure exactly how to go about it, but we should all try to think of new ways to reach these people for their sake and ours. Resolve to do so.

May you all have a prosperous and secure 2004.

Copyright © 2004, SecurityFocus logo

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.