Effective security isn't easy, but it is possible

Free Newsletters

Log-in | Register

SECURITY ADVISER

Effective security isn't easy, but it is possible Are you willing to do what it takes to truly secure your company's systems -- no matter how unpopular the solution?
By Roger A. Grimes July 06, 2006			E-mail Printer Friendly Reprints Slashdot It!

Last week, the curmudgeon in me had a bad day. After reading about new exploit after new exploit while people keep recommending the same old security solutions, I lost it.

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by InfoWorld

See, I’ve been doing computer security for 20 years now. And believe it or not, it’s not rocket science. Nor is it impossible. It only takes focus and commitment.

Here are the most effective security solutions you can implement, in order of effectiveness:

Do not allow end-users to run or install unauthorized software programs. I don’t care how you do it, just accomplish it. Your resistance to this single recommendation is the reason why you have to do everything else.

Don’t put unnecessary software on the authorized software list. This means Flash, Real Player, and iTunes all go.

Implement deny-by-default policy everywhere you can. Don’t just block 20 file attachment types at the network perimeter; block them all, and only allow a few.

Don’t allow your end-user to be logged in as Administrator or root. If your application software doesn’t support it, get new applications, or run them in a desktop VM.

Automate comprehensive patching. Not just the OS, but for all software.

Convert all inbound e-mail to plaintext by default.

Enforce long passwords (15 characters or more). Forget complexity: Go long and throw complexity out the door. Or go two-factor.

Encrypt all confidential data by default.

Spend less money on new security software and more money on reviewing the basics. Do you have a list of every file share in your company, and who has what access? What are the permissions on all host- and network-based resources? Is the practice of least privilege followed? Are non-needed services turned off?

Lastly, hack and audit your own network on a regular basis.

I’m sure many of my readers will see much of this advice as impractical, especially the first recommendation. If you see the first recommendation as unworkable in a real company, if you think end-users wouldn’t stand for it, if you think management wouldn’t stand for it -- you’re wrong.

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it’s been years since a significant malicious event happened to their environments. Each of the security managers could tell you that they felt the same way as you do now when they started tightening down their environments -- their management teams, and even IT teams, rebelled when the new, seemingly draconian measures were suggested. The new recommendations were fought and sabotaged.

But the real security leaders prevailed. New rules were put in place, and employees were retrained. Company-authorized images were deployed and mandated. Employees trying to circumvent company policy or installing unauthorized software were fired. Sometimes even the IT security guys got fired. The rules apply to everyone.

And each company implementing the “impossible” recommendation is now more secure and spends less on security. Standardized, controlled images mean fewer worries, fewer problems, and fewer breakdowns. These companies don’t worry significantly about hackers, malware, spyware, or phishing attacks. While everyone is being attacked by the latest popular worm, they are reading about it as unexciting news.

Each of these security-empowered companies was once just like your company. Each felt that the tough security measures listed above were impractical. If you asked their employees whether they're happy they can’t install just any software program on their system, most would say no. But ask whether they want to go back to the old way -- security protection that didn’t work -- and you won’t get a single taker.

Your company will eventually do what I suggest above. All that matters is when it will happen and whether you’ll be a part of the process or a roadblock to security success.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» San Francisco DA discloses city's network passwords
The San Francisco DA has made public 150 usernames and passwords found on rogue IT admin Terry Childs' computer

» Microsoft gives Apache cash to promote open source
As part of its move toward greater openness, Microsoft is becoming a platinum sponsor of the Apache Software Foundation

» Update: Software group weighs piracy lawsuit against eBay
SIIA says the auction giant eBay has rejected most of its ideas for stemming the sale of pirated software on its site

» Open Web Foundation formed
Non-profit group supported by Google, Facebook aims to protect non-proprietary specifications for Web technologies

» Should Android, Symbian combine?
Analyst says Symbian, Android should combine into a single open source OS for mobile devices and predicts that will occur in three to six months

» Microsoft looks to mimic Apple success, says Ballmer
Microsoft's CEO promises to change the way the company deals with hardware vendors such as Dell and HP 'to create great end-to-end experiences'

Do you have the power to resolve technical issues with one call?
Watch this webcast to get an under-the-hood look at a remote support solution that enables the IT organization to be the engine that keeps your end users productive and your company running.

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

SOA governance: Balancing Flexibility and Control within an SOA - This paper highlights the concept of SOA governance and provides a framework for blending the flexibility of an SOA with...
Software Quality Management for SOA - SOA brings challenges for every part of the IT organization, and the IT quality organization is no exception. IT quality...
How Does Your IT Help Desk Measure Up? - Today's IT help desks must respond to their companies' growing service needs without increasing their already strained staff...
Best Practices for the Service Desk - According to a recent study only 53 percent of surveyed IT users are satisfied with their help desk support. Download this...
Discover How to Provide Anytime, Anywhere IT Support - Remote employees unduly bogged down with technical problems can mean significant losses in productivity, revenue and satisfaction...
Class of Service: Myths and Misconceptions - There has been much discussion about the benefits of CoS; but, there are also common myths, which unless challenged, can...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

•

Application development

•

•

•

•

•

•

•

•

•

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
SGI - SGI Adaptive Data Warehouse: Building a High-End Oracle Data Warehouse Microsoft - Learn about the software-based VoIP solution from Microsoft. Vizioncore - Complete Solutions for Virtual Server Management Microsoft - Meet Windows Server 2008. The server unleashed. HP - Whitepaper: How IT Quality Managers Respond to SOA Change Xerox - Experience the colorful side of business at www.frugalcolor.com IBM - Webcast: Take control of your content- leverage MOSS HP - Whitepaper: Software Quality Management for SOA AT&T - Thinking about IMS AT&T - Factors to consider when comparing DSL or Cable AT&T - Going mobile with today's technology AT&T - What to expect from a Technology Assessment. Polycom - Telepresence For The Enterprise GoToMyPC - Research Brief: Providing Secure and Cost-Effective Remote Access AppAssure - Keeping the E-Mail Flowing Tripwire - Secure your virtual and physical environments with the same software. CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. Cirba - Advanced Workload Analysis Techniques		Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event Cirba - Consolidating Workloads onto Mainframes AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist