Who doesn't love that scene in "A Few Good Men" in which Jack Nicholson's character tells Tom Cruise's character, "You can't handle the truth. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, and then questions the manner in which I provide it. I would rather you just said 'Thank you' and went on your way."
I often feel like I'm acting out that scenario when speaking to CIOs and senior security leaders. They want me to tell them how to stop hackers and malware from invading their environments. Usually I'm consulting on some multitiered firewall/proxy/security solution aimed at protecting back-end databases. We talk about packet-inspecting firewalls, intrusion detection, two-factor authentication, and all sorts of high-tech defensive solutions that add several layers to their defense-in-depth protection.
[ The shortest distance between professional malware and your company's data is an unpatched Web browser. See the InfoWorld Test Center guide to browser security. ]
Then I say something like, "That's all great, but it won't work." I usually have their attention by then.
Next, I throw out the inconvenient truths:
- Most of today's security risk in the average computing environment comes from "drive-by downloads" -- that is, trusted insiders get infected by Trojan software that they were tricked into installing.
- If you allow your end-users to install any software they want, then your risk of security exploitation is high.
- Even if you are fully patched and the software you run contains zero bugs (this is never true), it barely decreases the risk from drive-by downloads.
- Most malware and malicious hackers are criminally motivated and seek monetary gain.
- End-user education is highly overrated and will fail.
- Your firewall, your anti-malware software, and your IDS will fail.
How to handle the truth
This is not to say that defense-in-depth and all that other good stuff shouldn't be done. But the risk from reckless end-users unwittingly executing Trojans and installing their own software is so high that all the other intrusion methods and their resulting mitigations are but a small percentage of the overall attacks in the wild. The intruder doesn't have to worry about all your perimeter defenses and fancy log-on techniques because the trusted end-user escorts him through. Most of the big online heists you read about don't occur because the attacker compromised some Web server or database from the Internet. No, the attacker simply uses an insider's legitimate access to explore the network, find juicy targets, download data, and implant other malware.