I will confess up front that many of you will struggle to find the fun in good information security. It is easier for me, having been born a nerd of sorts, but I recognize most people have a long list of things they would rather do, perhaps including watching paint dry. If you will stay with me until the end, I will explain where the fun comes in.
In the business world today, the market for security products and services is exploding. It seems like we hear an announcement every week about a wonderful new security product that is going to make the information security world a safer place. As I read each of these announcements, my eyes tend to roll back in my head, because I realize that, good intentioned though they may be, they will not solve the primary problems we face in the industry. The good news is that the solution to our problems is more basic. The bad news is that we can't just solve them by throwing money at a fantastic new product.
Taking apart the FBI situation however, a different picture unfolds. Their systems and data appear to be well protected. Their folks with access to key data are certainly well trained. They use a strong two-factor authentication system for logins. The weak link in their security that was exploited to breach their systems appears to have been their overly helpful help desk.
As we are led to believe, a bad actor obtained an employee user id, and called the help desk, and explained that he was new, and had not received his two-factor token yet. They were kind enough to give him a one-time password pending the arrival of the additional component, and thus, the FBI was breached.
The weakness in the FBI’s extensive security plan was very fundamental – their help desk should have not been so easily giving out access information. Since I myself am not without sin in this area, I am reluctant to throw stones at the FBI help desk. I have on occasion broken the rules I wrote to help out one of my users. I suspect many of you reading this have done the same thing. Thus, as the title of this article implies, our primary security issues do not relate to the lack of the latest expensive new gadget, but rather, fundamental errors and failures. Here are some other examples:
Email – how many times have we been told not to open unknown attachments or click on unfamiliar links? Despite this, a large percentage of current security breaches began with such an action.
Passwords – we all know we need strong passwords, of sufficient length and without dictionary words. We know that we should not reuse the same password on multiple systems, so one breach does not lead to another. And yet, 4.1% of passwords in a recent study were set to “123456”.
Social engineering – many of us are aware that someone may call, claiming to be someone else, hoping to gain useful information. Some years ago, a common phone system vulnerability had people calling receptionists, claiming to be the phone vendor, and asking to be transferred using a “special” code that would ultimately grant them system access. Social engineering is far from new, and yet, even the FBI is falling for the tactic.
The PC – each PC, or endpoint, as they are often known, can be a hole in network security. They must be patched up-to-date, have current anti-virus software and signatures, and a secure web browser. Each time I visit a new client however. I find an appalling number of PCs that have none of the above, many in regulated environments.
After considering the above examples, I hope you will see my point, that good security is within our grasp, and it does not necessarily involve the expenditure of large amounts of cash. Neither can it be obtained by some fancy new product that promises to solve the world’s security ills with the flip of a switch.
All we have to do to fix a large percentage of our security problems is to follow the fundamentals we already know. Just addressing all of the items on the above list will render your organization far less likely to suffer a successful attack.
Sure, hackers will still occasionally find a way in despite our precautions. We can't afford to be paralyzed with worry about those. That is what insurance is for. All we can do is address the issues within our grasp.
Now, imagine a world where you are faithfully executing all of the security fundamentals, and can focus on your business, your family, and your life. Fun, right?