A Strong Foundation

A friend called me the other day with a concern and complaint. Here is the jest of what he said.

Everyday I work hard to ensure that my company network is as secure as possible. Currently we don't have much in place in the way of formal policies. Thankfully that is in the process of changing. What we do have is loosely defined and rarely enforced. Since I hold the responsibility of ensuring the 3 A's of Security are all there I have implemented my own policies. I enforce them and update them as I see fit. I often get accused of being on a power trip, but that's OK. I know why I do what I do. It's because I see that as being my reason for being hired by the company.

That being said I obviously can't enforce these "policies" on all users. I still have to answer to those in authority over me. That is where the frustration factor comes in. What good does it do to work hard to lock most all the doors and windows to my network when you have to leave a side door open so that certain users can do as they please? Why not just put up a firewall, install AV, setup a patch server and walk away? Spend the rest of your time cleaning monitor screens and mouse balls.

Management needs to realize that when you leave a door open the bad guys will find it. One rogue user (intentional or unintentional) is all it takes. It's hard enough to keep the rogue users out without giving "special" users permission to be rogue. Management thinks that since we currently don't have to comply with regulations (meaning SOX, GLBA, etc) that we are OK for now. Once we have to start complying we will change.

Now for my 2 cents. That makes about as much sense as saying that I currently don't have termites (this analogy works well in the south) so I don't need to protect against them. Once I have them I will start getting treatment. A network that is left open will be compromised and once you start complying with regulations the problems will still be there. They are not going to magically go away just because you put in a few controls and implemented policies. Unless this company plans on starting completely from scratch they will be starting with a compromised network most likely. Those few machines that have been left open will still be compromised after they are locked down. Locking down a machine will not prevent a well planned piece of malware from doing it's job. The lockdown is designed to keep it off your system not to keep it from doing damage once it's there (mostly).

Just as in building a building you have to start with a strong foundation. Too often the foundation of a companies network is weak and rotting. Once it's in place it's almost impossible to rebuild it. All you can do is shore it up. Work hard to convince management that security has to be a priority and has to apply to everyone whether regulations require it or not.