Locking your door in 2004

Teach your users to think as you do

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Opinion I've never been a big believer in "New Year's Resolutions." I figure if you're going to resolve to do something (or not do something) waiting for a new year to is really just an excuse to procrastinate, writes SecurityFocus columnist Tim Mullen.

But when I look back over the last year and consider some of the security issues we faced, I think that a few resolutions for this new year may just be appropriate: not only to keep us from making the same mistakes over again, but maybe to expand our sphere of influence and do the same for those around us as well. To many, these suggestions may seem obvious and even common -- however, the events of 2003 show us that they are not being adopted.

When deploying services, resolve to think about security in depth.

We really need to work on this often-repeated but seldom-exercised security postulate. The thought process involved in providing services to an untrusted network should not end at publishing the service -- that is really only the beginning. One must also design other layers of security around the service: Firewall configurations, OS hardening, application filters, perimeter networks, etc. Only when a plan contains other measures of securing the service, measures in depth, does that plan begin to offer more robust security. Resolve to do so.

Envision the future, but secure the present.

I draw a fair amount of criticism for my typical "pro-Microsoft" opinions. There are those who think I'm obtuse for not seeing how the software "should" be, or not realizing the benefits of other operating systems or development models. That is not the case-- I'm just being a realist. While security professionals must always think towards the future and look to build a more secure tomorrow, we must also accept how things are today.

While we may all agree that any installation of a Microsoft product should be safe to deploy to the Internet right out of the box, that is just not the case today. We all know this-- so take responsibility for it. Learn to harden your installations. Learn to configure services for least privilege. Learn to use the tools you have to secure your systems. Don't let your lust for the future keep you from your present duty of diligence. Resolve to do so.

Don't just tell your users what to do, but get them to think the way you think.

Many administrators don't give their users the time of day; that's what NTP is for. But when it comes to security, most issues manifest themselves at the user level: opening attachments; using weak passwords; installing spywear; sharing sensitive information -- you know, general "shoot them in the head" stuff. To combat this, we normally just tell them what to do and what not to do without giving them much of anything else to go on.

I'm as guilty of this as anyone -- I normally do not go into too much detail as, to be honest, I just don't think they'll understand. But I think that ultimately does them a disservice, just like when parents respond to a child's "why?" with "because I told you so." I very well may regret saying this, but I think we should spend more time helping our users to better understand the "why" behind our requests if we are to expect them to really follow directions. Take time to share your thought process with your users when it comes to security. Try to get them to not only understand the ramifications of their actions, but to think about security in their everyday lives. Send out a monthly newsletter. Buy them "Beyond Fear." Spotlight and share success stories.

Ultimately, when the actions of a user cause the system to fail, it is our failure too. Let's try to bring our users to the next level by actually changing the way they think about security. We'll all be better off. Resolve to do so.

Explore new ways of reaching more people.

For the most part, the readers of this column are not the ones who need to know of its content. Most of the people who would derive the greatest benefit from discussions in security are not even in the loop. Normally, we wait for those who are interested to come to us (and then bash them as newbies), but I think this needs to change given today's Internet. We need to look outside of the "normal channels" used to convey security information.

For the last several years, every computer I have purchased has a nifty little pamphlet explaining how to use the keyboard so that I don't get Carpal Tunnel Syndrome, yet nothing tells me not to turn on File and Print Sharing, or not to install SQL Server on Internet facing machines. This has got to change. Maybe we should all have "ABC's of Security" sections on our websites. Maybe Dell should include a free "Guidelines to Security" booklet with every purchase of a new machine.

There are three groups of people out there:

1. Those who know what they are doing
2. Those who don't know what they are doing but are at least aware of the fact that they don't know.
3. Those who don't know what they are doing, and have no clue that they don't know.

The third group is the most dangerous, and the one we need to reach. I'm not sure exactly how to go about it, but we should all try to think of new ways to reach these people for their sake and ours. Resolve to do so.

May you all have a prosperous and secure 2004.

Copyright © 2004, SecurityFocus logo

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.