In this article, I've formulated several worst practices based on the common actions and beliefs of enterprise security personnel. I've seen the concept underlying each of these bad tips applied in real-world enterprises, causing a significant amount of grief. However, it's important to note that there's a grain of truth in each one of these issues. That's what makes each one attract some adherents. To help make sense of it all, I will describe each worst practice, followed by the reality we face in securing our organizations.
Worst practices tip #1: Focus information security defenses on prevention
The myth : If an organization prevents attacks, it won't have to spend as much time and effort cleaning up after the fact. Thus, the majority of its security budget should be spent on prevention mechanisms, such as patch deployment, hardening, firewalls, intrusion prevention systems (IPS) and antimalware products. Keep the bad guys out, and there will be no need to worry about detecting or responding to attacks.
The reality: Even with the best prevention mechanisms, systems still get compromised, often due to users who inadvertently introduce flaws or malware into an environment, or possibly through zero-day exploits that compromise even fully patched and hardened machines. Focusing exclusively on prevention is a fool's errand. Corporations need good detection and response capabilities in order to identify systems that fall under an attacker's control. By focusing all security resources on preventing attacks, some organizations have left only scraps for the detection and incident response components that a viable information security program requires. Security personnel need to divert some prevention efforts (and budget) to detection and eradication. Frankly, what most organizations really should worry about is the exfiltration of sensitive data. Blocking the door with good prevention is a nice start to protecting such data, but organizations need to follow up and look for attackers already in their midsts by attempting to detect and respond to data exfiltration activities to see if sensitive data is leaving the environment.
Worst practices tip #2: Security awareness activities are worthless
The myth: Security awareness is a waste of valuable resources. Why should security personnel spend a lot of time trying to instill good security practices regarding passwords, safe surfing and sharing information over the telephone, and have little or nothing to show for it? Some enterprises that apply metrics to measure password complexity, social engineering response and the like have found that these areas do improve shortly after implementing a security awareness program. However, these results dissipate quickly, leaving little lasting security for the organization. For that reason, security awareness spending is a leaky bucket, dribbling away budgets. Corporations can better apply those resources on technical defenses.
The reality: Security awareness campaigns improve security practices by instructing users to choose better passwords and be more conscious of social engineering attacks. But it's important to note that these programs shouldn't be a one-shot deal, with a huge campaign once or twice a year to encourage employees to "think securely." Instead, security awareness programs should run continually, working to instill an enterprise culture that understands security and how it is vitally tied to a business. Corporations should strive for an awareness program centered on continual reinforcement, with tabletop brochures, infosec posters and regular communications from the security team.
The myth: Unpatched Windows machines represent one of the biggest avenues of exploit for enterprises. With numerous client-side vulnerabilities in everyday Windows programs, attackers can easily gain access to unpatched systems if a user simply surfs to the attacker's website or a third-party site hosting the attacker's content. With an automated patching product, an enterprise can keep its systems up-to-date and avoid such exploitation. Once an enterprise is fully patched, it'll be secure.
The reality: While keeping patches up-to-date is an important goal, few organizations implement patches effectively. Even in a well-deployed patching infrastructure, things slip. When security personnel assess enterprises, they often find a dozen or more patches missing from critical servers and desktops, even in organizations that say they are "fully patched." Here, the old mantra of "trust but verify" is incredibly important. Even if an enterprise thinks its patches are up to date, it should get a random sample workstation or server from its environment, and evaluate it using the free Microsoft Baseline Security Analyzer (MBSA). This tool will show if a corporation's underlying Windows operating system and other key Microsoft products are patched. However, keep in mind that not all attacks are against Windows or Microsoft software. Today, third-party products on Windows machines -- such as Real Player, QuickTime, Acrobat Reader, and more -- are common attack vectors, so they should be patched as well. If an organization thinks it has fully addressed the Windows patching process, shift the focus toward the patching process for non-Windows systems, such as Linux, Mac OS X and Cisco IOS. In these areas, most organizations haven't scratched the surface. Also, take note of the regular onslaught of zero-day exploits. Several times every year, attackers successfully exploit systems in the wild using a vulnerability for which the vendor hasn't yet released a patch. Patching is important, but it is only one aspect of enterprise security.
Worst practices tip #4: SSL can secure Web applications
The myth :The Secure Sockets Layer (SSL) provides rock-solid encryption of sessions between browsers and Web servers, and thus can ensure that Web apps are kept safe from attack. After all, if attackers can't see the data going from browsers to the server, they can't alter it. And, if they cannot alter the data, the Web application is protected from hacks.
The reality: Not only does SSL address only a small piece of the security puzzle for Web apps by encrypting data as it moves across the network, but it also has some further major limitations. First off, all trust decisions regarding certificates used to exchange encryption keys in SSL are left in the hands of users at their browsers. When users click "accept" or "OK" on a warning message about a bad certificate, they've just created a rock-solid encrypted session with someone pretending to be your website. Additionally, all of today's major Web application vulnerabilities, including SQL Injection, cross-site scripting, cross-site request forgery and session cloning, work just fine across an SSL session. In fact, attackers often prefer to launch such attacks via an SSL session because encryption makes it harder -- if not impossible -- for a corporation's intrusion detection systems to recognize the attack. In the end, SSL helps secure web interactions by encrypting data across the network, but it's only the start when it comes to securing Web apps.
Worst practices tip #5: Penetration testing has limited value
The myth :Penetration tests have many limitations. Trying to model a full-fledged attack from a real-world bad guy in the space of a one- or two-week test doesn't really indicate the risk profile of an organization. Penetration tests have a limited scope, occur during a limited timeframe and are plagued by the limits of testers' skills and imaginations. Sure, if penetration testers successfully compromise corporate systems, it means that an enterprise has some unpatched security flaws. But if testers are unsuccessful, then that doesn't mean an organization is secure. Penetration testing could therefore lead to a false sense of security. What's more, they show target organizations' current vulnerabilities, but with new vulnerabilities constantly being discovered, they provide no insight into security going forward. For those reasons, some think penetration testing is a waste of time.
The reality : While penetration tests do have some limitations, they provide a real-world view of what attackers will see if and when they come calling on an organization. A penetration test that discovers flaws helps illustrate where resources should be applied to deal with some of the most urgent matters in an enterprise. Other methods for finding security flaws -- such as, documentation reviews, interviews, configuration reviews and architectural analysis -- all have their place, but penetration testing measures the defensive posture as it actually is, trying to find holes in the target environment before real bad guys do. Also, carefully conducted penetration tests can impose fewer burdens on personnel than other methods of vulnerability detection, since they require less interaction with the busy schedules of operations teams.
About the author :
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.