Effective security isn't easy, but it is possible

Free Newsletters

Log-in | Register

SECURITY ADVISER

Effective security isn't easy, but it is possible Are you willing to do what it takes to truly secure your company's systems -- no matter how unpopular the solution?
By Roger A. Grimes July 06, 2006			E-mail Printer Friendly Reprints Slashdot It!

Last week, the curmudgeon in me had a bad day. After reading about new exploit after new exploit while people keep recommending the same old security solutions, I lost it.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

See, I’ve been doing computer security for 20 years now. And believe it or not, it’s not rocket science. Nor is it impossible. It only takes focus and commitment.

Here are the most effective security solutions you can implement, in order of effectiveness:

Do not allow end-users to run or install unauthorized software programs. I don’t care how you do it, just accomplish it. Your resistance to this single recommendation is the reason why you have to do everything else.

Don’t put unnecessary software on the authorized software list. This means Flash, Real Player, and iTunes all go.

Implement deny-by-default policy everywhere you can. Don’t just block 20 file attachment types at the network perimeter; block them all, and only allow a few.

Don’t allow your end-user to be logged in as Administrator or root. If your application software doesn’t support it, get new applications, or run them in a desktop VM.

Automate comprehensive patching. Not just the OS, but for all software.

Convert all inbound e-mail to plaintext by default.

Enforce long passwords (15 characters or more). Forget complexity: Go long and throw complexity out the door. Or go two-factor.

Encrypt all confidential data by default.

Spend less money on new security software and more money on reviewing the basics. Do you have a list of every file share in your company, and who has what access? What are the permissions on all host- and network-based resources? Is the practice of least privilege followed? Are non-needed services turned off?

Lastly, hack and audit your own network on a regular basis.

I’m sure many of my readers will see much of this advice as impractical, especially the first recommendation. If you see the first recommendation as unworkable in a real company, if you think end-users wouldn’t stand for it, if you think management wouldn’t stand for it -- you’re wrong.

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it’s been years since a significant malicious event happened to their environments. Each of the security managers could tell you that they felt the same way as you do now when they started tightening down their environments -- their management teams, and even IT teams, rebelled when the new, seemingly draconian measures were suggested. The new recommendations were fought and sabotaged.

But the real security leaders prevailed. New rules were put in place, and employees were retrained. Company-authorized images were deployed and mandated. Employees trying to circumvent company policy or installing unauthorized software were fired. Sometimes even the IT security guys got fired. The rules apply to everyone.

And each company implementing the “impossible” recommendation is now more secure and spends less on security. Standardized, controlled images mean fewer worries, fewer problems, and fewer breakdowns. These companies don’t worry significantly about hackers, malware, spyware, or phishing attacks. While everyone is being attacked by the latest popular worm, they are reading about it as unexciting news.

Each of these security-empowered companies was once just like your company. Each felt that the tough security measures listed above were impractical. If you asked their employees whether they're happy they can’t install just any software program on their system, most would say no. But ask whether they want to go back to the old way -- security protection that didn’t work -- and you won’t get a single taker.

Your company will eventually do what I suggest above. All that matters is when it will happen and whether you’ll be a part of the process or a roadblock to security success.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Troubleshooting tool for Java offered
Sun's Java VisualVM open-source technology views apps while they run on a JVM and is billed as all-in-one solution

» Python backing eyed for NetBeans
Scripting language capabilities of the open-source IDE continue to expand

» Microsoft sets Windows XP SP3 automatic download for Thursday
The latest service pack for Windows XP will be pushed to Automatic Update at 7a.m. EDT on July 10

» Real Software, Veryant bolster dev tools
RealBasic, Cobol apps platforms get improvements

» Microsoft sets hosted-services pricing, irks partners
By offering 38 percent discount to customers who buy entire hosted business productivity suite, Microsoft undercuts partners selling similar services

» Adobe readying new mashup tool for business users
Mashup interface code-named 'Genesis' will open up desktop 'workspace' combining business application data, documents, analytics, and instant messaging

What Every Enterprise Needs to Know About VDI
Today's enterprise IT environment is already complex, and replete with heterogeneous technologies. Attend this informative webcast to understand the key components for deploying and managing virtual desktop infrastructure in your environment. Sponsor: VDIworks

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

A Guide to Rich Internet Application (RIA) Security - Read about Forrester's findings on RIA security included in a Forrester Research paper valued at $775 titled "Securing Rich...
Disaster Recovery in Minutes - This paper describes a complete disk-based system recovery solution for Microsoft Windows based servers, desktops, and laptops...
Protecting Microsoft(R) Applications - Microsoft Exchange, SQL, Active Directory, and SharePoint have quickly risen to mission-critical status in many companies...
Reduce Recovery Times and Tape Costs - Today's enterprises face a data protection challenge: how to optimize the backup and recovery of business-critical data ...
Secure, recover, and archive critical information - Today's businesses must keep their infrastructures up and running 24x7. That means that the physical systems, the operating...
Consolidating Workloads onto Mainframes - The flexibility, efficiency, and reduced cost of ownership virtualization provides makes it extremely compelling to large...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment.		AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist