mailing list archives
Everything I know about computer security I learned in kindergarten
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 4 Mar 2014 17:56:27 -0700
After more than 25 years as a computer security consultant, I've learned
that the "secret" to good computer security is to do the simple things that
we all know we should be doing better. The more I'm considered an "expert,"
the more I realize that almost any child could tell the world how to
With apologies to Robert Fulghum, author of the perennially best-selling
book, "All I Really Need to Know I Learned in Kindergarten ," here's my
attempt to share the simple truths of good computer security.
We are more alike than different
Every company I visit thinks it's terrible at computer security, and truth
be told, that's usually correct. They also believe other companies are
doing security a lot better than they are, and they want to learn their
protection secrets of success. Based on my experience consulting with the
world's leading companies, this inquiry pops up most frequently: "How is
company X doing computer security?"
The reality is, with few exceptions, every company I've visited does a bad
job at computer security. Every company does a few things very well, a few
things OK, and most things horribly. They don't patch well, they don't do
event monitoring  right, and they spend the majority of their time
concentrating on projects that will not reduce risk by much.
They also share the same outcome: They can be exploited at will by any
motivated hacker. If there is any comfort in the computer industry, perhaps
it's that everyone is as bad as your company at stopping malware and
Everyone is dealing with successful malware exploits, APT attacks ,
stolen intellectual property, and network cleanups . They're all
desperately trying to figure out how to decrease the badness. No one, not
even me, has it all figured out. No "experts" can legitimately guarantee
you that if you do X, Y, and Z, the badness will be gone.
Talk to your friends
If there is a hidden jewel in this ugly situation, it's that a lot of
people and companies are going through the exact same ordeal. They're
trying all sorts of strategies and tactics, with varying levels of success.
They also want to learn what you're doing and share their own successes and
Many companies have reached out to other companies in their industry,
formed informal coalitions, and shared their experiences. They share goals,
projects, and vendor stories, and they establish formal networks. If they
need help, they can quickly reach out to each other. If you or your company
doesn't belong to a similar group, consider joining one or forming your own.
If it hurts, stop doing it
Little kids usually touch a hot stove only once. The single biggest problem
in computer security is that most companies aren't very good at figuring
out how they are hurting. It's as if they're constantly touching a hot oven
and wondering why they keep getting burned.
For example, most companies are very bad at patching, though better
patching is the single step they could take to decrease risk most. The
majority of companies know patching is a challenging problem, but don't
understand, percentage-wise, how often unpatched software is responsible
for exploits entering their environment. They don't fix it well enough --
then wonder why they keep getting burned.
Break the cycle. Investigate and find out your company's top three
problems. Then form task forces and work to remediate the major issues.
Everything else should take a backseat. Stop touching the stove.
Routines are good
Going to sleep at the same time every night contributes to a better night's
rest and a more productive day. Routines are good for security, too;
hackers love targets that lack them. They are irresistibly attracted to
companies that are inconsistent in their application of computer security
defenses. In most companies, even computers performing the same role are
configured and protected differently. They drift away from a common
standard over time for a variety of reasons.
Want to sleep better at night? Enforce consistency. Make sure computers
performing the same roles have (as much as possible) the same
configurations, same patches, and same computer security defenses.
Every company where I perform security audits ends up with dozens and
dozens of findings and recommendations. I know the companies that enjoy
more consistency will have a better chance of implementing my
recommendations. The inconsistent ones have to become consistent before
they can implement fixes effectively.
Good communication is the key to healthy relationships
Part of why companies do such a bad job at computer security is the lack of
good communications. For example, if someone actually knows the most common
way a company is exploited, do they share it with the crew? It seems silly,
but I'm constantly amazed at how often almost nobody in the company
understands the top problems or the extent of the damage.
I often interview computer security staff, executives, and regular
employees, asking: "What is the No. 1 way hackers break into your company?"
Rarely do I hear the right answer. When I do, I wonder why this one person
knows it and no one else does. If so few know the right problems, how can
the company make a concerted effort to solve them?
Identify the top problems in your company and share them with everyone.
Don't assume everyone knows what you do and is working on solving the
biggest problems first. Usually, they don't and they aren't.
Apologize if you hurt others
If your company is responsible for protecting other people's important
digital information, and that information is compromised, apologize right
away, even if you're not legally required to do so. Don't delay the
notification or, worse, try to keep the intrusion under wraps. Secrets
never remain secret, and waiting too long can only cause more anger (and
potential lawsuits). Being quick to apologize, staying honest, and
promising to try your best never to do it again goes a long way toward
regaining lost trust.
There are lots of other recommendations I can make using the kindergarten
analogy. But I want to hear the creative ones you can come up with. Anyone
want to raise their hand?
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Everything I know about computer security I learned in kindergarten Audrey McNeil (Mar 13)