I Really Do Not Hate Hardening Guides

Interesting Finds

Jason Haley — Wed, 17 May 2006 17:44:12 GMT

re: I Really Do Not Hate Hardening Guides

Alun Jones — Wed, 17 May 2006 21:44:54 GMT

Sadly, the "myths" series is constantly myth-interpreted.
When you say "A always helps" is a myth, what you are saying is "sometimes, A may not help at all, or may not help enough to be worth doing". You're not saying "A never helps".
This is the sort of thing that trade journals love to report on, of course - you say "changing passwords frequently" is a myth, they say "Microsoft representative says not to change your passwords".
Good luck reminding people that the myths articles should be interpreted as a warning to re-investigate those assumptions that are situational, but which we've trained ourselves to believe are global axioms.

re: I Really Do Not Hate Hardening Guides

Susan — Wed, 17 May 2006 23:00:36 GMT

As a "financial auditor" who also looks at systems controls... if you look up the word "auditor" in the dictionary you will probably find "checklist filler-outer".

We don't think. We don't look. We tick boxes.

We say things like "Oh that's not in compliance with such and such" and to every industry person I say to them.. ask that auditor to "prove it" with the code section from the SEC, Department of Heath,etc that says in black and white where SOX or Hipaa or any of these regulations specifically state what they want. The reality is that many of these laws were put in place to be purposely vague.

Oh and the next thing we do ... the field auditors are typically young, green and haven't a clue. The folks in industry train the consultants and not the other way around.

Yes, I know that's stereotyping, but we're not thinking... we're just ticking boxes because it's easy to tick boxes.

There was a Center for Internet Security project that attempted to put forth the minimum security needed to protect sensitive data and the initial steps used the Visa PCI standards. As one person put in on the threads "did the Hardware vendors make these rules up?". It was obvious that because each sized firm's risk model was so different, that it was near impossible to do a one size fits all minimum.

Even the California law AB1950 that states I must take reasonable measures does not define what those measures are.

As SBS var/vaps are getting into the "managed services" field, they too are asking for 'checklists" and the ones who have paved the way say things like "you know, we have this memory jogger like form...but we really don't like to use a checklist".

Listen.
Think.
Then do.

re: I Really Do Not Hate Hardening Guides

Tom Decaluwe — Thu, 18 May 2006 00:47:14 GMT

Hi,

I was wondering if the "Security Myths" presentation from the Microsoft's Federal Security Summit was available for download on the internet?

cheerz,

Tom

re: I Really Do Not Hate Hardening Guides

jesper — Fri, 19 May 2006 01:40:23 GMT

Susan, you said it, I didn't. :-)

It is really sad, actually, that what at the core is a really noble profession of auditing, has been twisted into checkbox filling by some of its practitioners.

Oh, and Tom, there is a taped version of the Security Myths in the Listening Room at the Protect Your Windows Network site: http://www.protectyourwindowsnetwork.com/listening_room.htm

re: I Really Do Not Hate Hardening Guides

Anette — Sat, 20 May 2006 01:00:11 GMT

I agree with many of your views, particularly on how a good security auditor should work.

Are many of the comments on these blogs written by Microsoft colleagues?

I have read postings on a few Microsoft blogs. Some names seem to appear frequently. The way some of the comments are written it sounds like the authors are Microsoft employees (or close partners).

re: I Really Do Not Hate Hardening Guides

jesper — Mon, 22 May 2006 06:45:04 GMT

Anette, some of the people that comment are MS employees, but I think most are not. I think the ones that appear more frequently are either friends or folks that just spend too much time online. :-)

Actually, I see no current MS people commenting on this particular topic. Maybe there is a reason for that?

re: I Really Do Not Hate Hardening Guides

themolk — Tue, 23 May 2006 05:17:54 GMT

Thanks so much for your presentation last night at BIG - great to hear from someone who is willing to do some of the thinking that is required that prompts all IT security people to realise that some of the things they do isn't actually helping...

I agree with your comments on hardening guides and auditors. Too much blind faith is put in these (and "consultants") to ensure we are 'securing' our networks, when really a little bit of lateral and even logical thinking would help us no end. That, and the willingness to alert the business to the need to educate staff to WHAT security is in the context of computers/PDA's/etc, etc, etc. Give me one educated (and as you mentioned last night, paranoid) staff member over 30 techno-phobes any day.

re: I Really Do Not Hate Hardening Guides

Safely anonymous — Sat, 27 May 2006 21:38:10 GMT

Hi,

I understand the (some of) the pain of people suggesting things that you don't support. At the same time, I've spent way too much time on security guides, and have no idea what the "correct" channel for suggesting useful tweaks is. (I tend to email friends, but that's variable in the response, usually driven by their workload on a given day.)

Many of these unsupported changes, on a variety of operating systems, have saved my employers from a great deal of pain.