Last week, I discussed the three biggest mistakes senior management makes in computer security. This week, let's examine the three biggest mistakes computer security engineers commit -- and have to answer for when they deal with senior management. You'll notice a resemblance between last week's post and this installment. No coincidence there; the issues are similar, though they differ in the details.
Let's take a look at the problems.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
IT security's misplaced focus
Rarely is the entire IT team focused on preventing the malicious causative agents that allow exploitation to happen. In part that's because the incentive is weak: No one gets credit for a breach not occurring, although if your ducks are in a row, you might avoid blame if the bad guys wreak havoc.
In fact, fighting malicious hackers and malware requires a sustained effort. It's war, so you need to approach the task with a battle mentality. A good general evaluates all the threats in the battlefield, assigns priorities, and attacks the biggest ones first. In the IT security world, it seems as if we all acknowledge the biggest threats, then fight side skirmishes and wonder why we aren't winning the battle.
What is the biggest threat? In most environments, it's people running software they shouldn't, such as Trojan horse programs. They visit a website they trust and get prompted to run or install an innocent-looking agent that turns out to be malicious. Or they get a realistic-looking phishing email that tricks them into running a program or revealing their logon credentials.
If this is the case in your environment -- and it probably is -- you need to start by updating your end-user education material. Does your end-user education curriculum tell your users they're most likely to be infected by visiting a website they trust? Does it tell them to never click on a link sent by an external vendor asking them to verify their logon credentials? Does it tell them that fake antivirus software abounds and show them a picture of what their legitimate antivirus program looks like? Do you run tests that gauge users' reaction to simulated real-world threats with "phish-me" type programs?
Maybe -- but more likely, your end-user education program (if you have one) is still responding to last decade's threats, such as computer viruses, rogue email attachments, macro viruses, and the hazards of "untrusted" websites. Most end-user education programs tend to be a side job for one employee. If senior management and IT engineers put the right amount of resources into end-user education, the department would probably be bigger and have more overall sway in the IT environment.
Whatever your biggest exploitation problem, focus there. Spend the money, resources, and human capital needed to tackle your largest roadblock first and work your way down this list. Communicate the biggest threats to senior management, and fight those battles in the trenches week after week. Most important, tell your users to never hesitate to call IT security if they think they've done something wrong or potentially risky -- and assure them that they won't get in trouble for being proactive.
I've yet to run a patch-checking program on a computer that was fully patched. I frequently go to companies and hear all about their wonderful, automated, timely patch management systems. Then, when I audit the first computer, it's missing patches. Usually they've patched Windows and its applications, but not all the browser plug-ins. Java and Adobe Acrobat Reader are notorious for falling behind, but it isn't just them. On servers, I frequently find outdated server management software, known-to-be-vulnerable versions of backup services, and myriad unnecessary programs (if you don't need it, get rid of it).