The criticality of basic IT security hygiene
Published 16:46, 12 May 09
One of the interesting aspects of IT security is that the industry seems to possess a short attention span. Every year we move from one dominate focus to the next.
We have all experienced the year of PKI or the dawn of the IDS and of course, NAC and DLP were going to radically change how we secure the enterprise.
With each New Year, the latest widget drives even more vendor hyperbole until it reaches a fevered pitch. But as IT security professionals navigate their way through the operational realities of budgets, politics, and the logistics associated with actually maintaining the health and improving the security of their organisations, it becomes clear that next big thing in IT security might just be doing the old thing better.
The reality is that although the attackers are more sophisticated and organised the vectors used for attack are the same methods used over a decade ago; yet, nonetheless most IT security departments appear to be completely unable to implement even a base level of security hygiene across their entire computing environment.
Every IT organisation must be able to answer these fundamental questions and ensure that the information is accurate, timely and can be gathered quickly against the dynamic nature of IT environments:
1) - How many computing devices are deployed in and out of my environment right now?
Believe it or not, it is quite common for an organisation to be blind to 15-30% of their computing devices at any given point in time. Imagine if every decision you make to improve security, provide transparency or accountability for compliance or deal with upgrades, licensing or refresh cycles was based on a 15-30% margin of error.
This is the standard. The reasons are many and run the gambit from platform heterogeneity to legacy systems from mobile and intermittently connected devices to the lack of converged visibility between disparate technologies driven by disparate groups within an organisation.
2) - How many of these do I “actively” manage? How many adhere to basic corporate policies, such as running a standard corporate AV engine with the latest dat files, up to date security patches, standard configuration guidelines, etc.?
How long does it take me to answer these questions? How accurate is the information? How do you know?
Even if you believe you have an accurate count of all your computing devices (and I am willing to bet that you probably don’t), the next question would be “Of these deployed devices, how many do I actively manage?”
How many do I actually have full command and control over and can - in real-time - effect a change on, such as shutting down a service or closing a port, closing an application or upgrading to the latest patch levels.
It seems like a fairly trivial question to answer doesn’t it? You might be amazed at how difficult it is for organisations, especially those in the greater than 5k or 100k computing devices size, to actually decide to make a pervasive change to their computing devices and then verify that the change actually took place, all in less than 2-3 weeks - yes 2-3 weeks, and this is with a margin of error of 15-30%.
What is really amazing is that there are bot masters that have full command and control of hundreds of thousands of computers and can affect changes across the majority of them in seconds, but some of the most sophisticated organisations in the world have no idea if their AV is up to date or if the latest personal firewall settings are being adhered to!
Many of you may believe that you have it under control, but now think about all of your computing devices: Window, Linux, Unix (Solaris, HP-UX, AIX, Mac OSX, et al) systems, virtual environments, mobile devices and remote users accessing a SaaS application at Starbucks using a corporate owned laptop.
Using that broad view into the environment, can you confidently answer the question of how many devices are actively deployed in your environment right now and how many of those do you actively manage?
Although there are many new threats on the horizon and many new challenges facing all IT organisations, if you cannot even perform the basics then you are building security on a weak foundation.
This is a recipe for disaster. Before you leap head long into deploying the latest security widget or decide all you need to do is sit back and monitor the network, logs, and various transient application and user behaviors, you may want to spend some time making sure you can do some basic asset discovery and have some level of control over these assets throughout your entire environment.