Some organizations put too much emphasis on hardening guidance

re: Some organizations put too much emphasis on hardening guidance

Alun Jones — Wed, 22 Mar 2006 01:13:07 GMT

Security as a "yes" / "no" question always (for practical purposes) gives the answer "no, this is not secure".

Security in real life, in business or at home, is always a risk-management effort. There's cost and benefit, and a guessed probability as to which side of that divide you land on.

It sounds like what you're describing in this article is a Service Oriented Architecture for security. Security provides services and has customers to provide those services to. Security is an enabler of desired activity, not a stop sign.

Once security is seen as an enabling force, people stop trying to subvert it in order to do their jobs, and realise that their jobs are helped by your security measures.

Good luck with that.

Small Business Server hardening guidance

E-Bitz - SBS MVP the Official Blog of the SBS "Diva" — Wed, 22 Mar 2006 07:37:21 GMT

On the Security 360&nbsp;webcast that was on earlier today, the topic was on "browser hardening".&nbsp;...

re: Some organizations put too much emphasis on hardening guidance

gary — Wed, 22 Mar 2006 18:11:13 GMT

You wrote:

"What makes a difference is ensuring that only those systems and users who absolutely need to communicate with you are allowed to do so. What makes a difference is ensuring that all applications and users run with the least possible privilege. In short, what makes a difference is taking a sensible approach to security and doing the difficult analysis so that you can allow each system to take responsibility for its own security."

That is all well and good as long as each system is capable of taking that responsibility and that systems enforce the access policies you set up.

Unfortunately, in an era of half a dozen security related defects a month that allow people to override all the planning and access controls that may have been put in place, people have had to put up additional barriers whose necessity is not always obvious. They're necessary because with today's defect ridden, complex products defense in depth is required to overcome failures in access control

And while "high" security is absolutely necessary to protect life and property, today's mega data disclosure of the week certainly doesn't lend confidence to our information infrastructure. Nobody is dying ( yet ) but of what value are privacy policies and disclosure laws in such an enviroment where accounts and identities are ravaged? Disclosure is the least of the problems. If the access to the data isn't being protected, how can its accurracy be trusted? How much confidence can be placed in automated business processes (commerce, health, governement) based on data and processes that have been compromised so often?

When the environment is made up of defective products that are too complicated to properly run safely in compatibility with resource requirements and business "needs" driving by marketing drivel, the grunts made responsible for security are left holding the bag of unpopular security recommendations because the vendors and decision makers are pulling the wool over all our, and their own, eyes.

Universal Identity management, SSO, and automated access controls are fine when they work. When they don't, or when they're compromised, all hell is going to break loose. They're business convenience drivers...not security products.

re: Some organizations put too much emphasis on hardening guidance

Susan — Thu, 23 Mar 2006 05:56:48 GMT

Gary? How many of these defects are in our applications? Shouldn't they too step up to the plate and join in the cause? Just today.. I saw two vuln notices about two security products (Trend PCCillian and Interscan no less) that had bad/weak ACLs/DACLs.

How have these identities been stolen? Unencrypted tape backups (hello folks computer rule 3 of physical access) for one. Improperly designed databases that were not properly protected from attacks for another.

I got a notification from Guidance software that a database that had my credit card number on it was broken in to.

1. Why were they storing my credit card number a year after I bought something from them?
2. Why was it not encrypted?

Guidance Software is a forensic investigation company..shouldn't they know better?

How many of these identity thefts were due to just not doing the right thing in the first place?

Remember I'm not the military... at the end of the day my business needs will always be one notch above security demands. Unlike the government...if I don't have business, there's nothing for me to worry about securing. So business needs have to come first, unfortunately.
And for many firms with hooks and add-ins into insecure applications like our accounting applications like ..say Quickbooks, you aren't just ripping out the beancounter program but your hook into the CRM app or the trouble ticket app... etc...etc... these days you are also ripping everything else that plugs into it.....add to that the marketing spin around software that once we finally deploy it, it never works as advertised because the firm never buys all the bells and whistles that was demo'd to him... and ...well...Vendors do not even know how their
product works. Only the users do and by the time you figure out it's not working... you are 3 million dollars into a Multilayer'd app implementation project and the Dev folks and the timekeeping app folks are telling you they can't get the information that you need and there's nothing they can do....the universe has these little bridger Excel spreadsheets all over the place because applications never quite do when they are supposed to do and Excel is the foundational tool to get things to work that the salesman assured you would work in the first place.

Migration sucks. That's the bottom line. Humans hate change.

It makes for great Quickbooks sales as well as everything else that we currently use. Because as much as we hate the programs ..they are good enough. It's not the pressure to buy it.. it's the pressure that it works.. and don't screw up what works.

Sometimes I can't 'not buy it'... I have to get them to fix it. I need the functionality they provide... They need to get security. I can't walk away. Bigger firms can help push by putting it into their RFPs. I can't do it alone. I just have to get really annoying so they get me to shut up and hope that the marketplace (and pressures of Vista's LUA) help.

Those who know me (and unfortunately who have to put up with me) know that sometimes only duct tape over port 25 gets me to shut up and to stop being annoying.

I Really Do Not Hate Hardening Guides

Jesper's Blog — Wed, 17 May 2006 08:34:41 GMT

Unfortunately, it seems that people are getting the impression that I hate hardening guides.&nbsp;A few...