I'm still amazed how most companies, even when they've been breached and their reputation has been ruined, fail to fight malicious hacking correctly. Instead, they erect security defenses that have little to do with the threats they're hoping to prevent.
Let me give you a common scenario: I frequently consult with large companies that have been the victim of APT (advanced persistent threat) attacks. Usually those attacks occur because one or more users were silently infected by a vulnerability that had a vendor patch. Unpatched Java is to blame in more than 50 percent of these cases, but common culprits include unpatched Adobe Acrobat, Windows, and so on. The other big risk is from users installing an app they shouldn't, such as a fake antivirus scanner, a fake disk defragger, or a bogus software driver.
[ Verse yourself in 10 crazy security tricks that actually work. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
Those two methods of attack far outstrip others you've heard about, including SQL injection, password guessing, worms, and man-in-the middle attacks. But guess what? Companies typically spend their time and money on defenses that ignore the obvious.
Dude, you're defending it wrong
Why? Usually because some "expert" -- a vendor with a product to sell or someone on staff who reads too many security journals -- is telling them to install advanced firewalls, IDS scanners, multifactor authentication log-ons, and a myriad of other solutions that will not work.
I ask them: Would the millions of dollars you plan to spend on those elaborate solutions have saved you from the attack you just suffered? In most cases, the real answer is a resounding no. But what I usually get is "yes" or "maybe not, but it would make it harder on the attacker."
This slays me. I ask them to tell me exactly how what they are proposing would have stopped the attackers. Walk me through the steps! The folks proposing other solutions are then forced either to exaggerate the capability of their favorite whizzy defense system -- or they begin fumbling in embarrassment.
Yet just about every customer I've dealt with keeps wasting money on new pet projects, rather than focusing on the basics that will really work to reduce risk. I keep hoping and waiting.