Years ago I enrolled in one of the best classes on computer security I've ever taken. It was given by SANS Institute and taught by instructor Eric Cole. What made the class so good was that he taught about data and program segmentation, which is a topic he continues to evangelize about to this day.
That class applied the segmentation idea to Microsoft's Internet Information Service and discussed how data of different types and risk categories should be stored in separate folder locations with separate security permissions. Most Web programmers put all the files for a particular website under one main folder. Cole taught that it made more security sense to create folders based upon security classifications, and to place each piece of content into the appropriate security folder.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
It made so much sense that it was earth-shaking. I've never encountered those recommendations in any other Web programming class, even though it's a common-sense application of the "least privilege" principle.
I took a few more classes from Cole over the years, bought his books, and followed his career as he earned a Ph.D. and became founder and chief scientist at Secure Anchor Consulting.
It's taken me a while, but I felt it was finally time to interview Cole, who has been with SANS for 13 years and still serves as an instructor. He also consults for clients, focusing on improving network architectures so they can defend against advanced threats. We began by talking about his work with clients to turn products into solutions that focus on the right areas to stop attackers.
Roger A. Grimes: Where are you focusing in your work with clients?
Eric Cole: Better segmentation. End-user systems are segmented from the critical data. Most networks are fairly flat, so when a computer gets compromised the threat can easily spread. The external threat is the source of a lot of problems, but the cause of the compromise is the incidental/accidental insider.
The client systems are the new DMZ. We need to separate the client systems away from the data. That way the amount of damage they can do is minimized. The key goal is inbound prevention and outbound detection.
Grimes: How much of a role does end-user education play?
Cole: End-user education is a good thing. End-user awareness is necessary. But awareness is only part of the solution.
You need to set up your users for success because some of the phishing emails are so good that it's hard for anyone to figure out if it's real or not. At the same time, you want to educate -- you don't want to inhibit an employee from doing their legitimate job. If you tell them not to click on entire classes of content, you'll block too much good stuff as well.