Security's Everyman

Security's Everyman

Wednesday, March 07, 2007

Security Sins

I try to follow the posts on daily. Sometimes I find something good, some times I find something that sets me off and sometimes it's just black dots on a white background. A couple of weeks ago every time I went to their site I saw red. That was when they were on their "stupid user" kick. Lately they have been putting a smile on my face. I wrote yesterday about the Internet's Original Sin by RSnake and today, following the same theme, I read an article by Curt Franklin called Security's Three Deadly Sins.

As I read this post I couldn't help but smile. Not because I liked all the "problems" that he talks about, but because they look like every day life in IT. Not that that is a good thing. It brings back many memories.

He talks about Sloth, Hubris (Pride), and Greed and then breaks each of them down into some of the more common mistakes that are often made in each area.

Here are some of my thoughts on each area.
Sloth - Too often IT staffs take the path of least resistance. They don't necessarily do it out of true laziness as much as out of just being too busy. I've worked in such situations. Actually at times my current situation is like that. The real problem with this is that it creates situations that usually don't get clean up because it requires too much work to "fix" them. That's where the old adage "If you don't have time to do it right the first time, what makes you think you will have time to do it right later" comes into play. Take the extra time and do it right from the start.

Hubris - The area of Pride that I see most often in IT/Security is the "stupid user" mindset. I'm not going to go into that again. If you want you can check some of my recent post and get my feelings and ideas on that. The other area that can be a problem with pride is the "I know security and you don't" attitude that often occurs between security and other IT departments.

Greed - I think IT is as guilty as anyone when it comes to "free" software. IT guys love tools that are designed to make their life easier. They are often suckers for a free download. And thus "ripe for the picking" when it comes to getting owned. Just because something is "open source" doesn't mean that it's not been compromised and that many people either check the hash or the code. Besides what can be better for the network than free software that helps keep it safe?

One of the best attitudes that we can have to keep our networks secure is Humility. It helps keep our perspective where it needs to be. Keeps us from giving in to the "deadly sins" and helps us remember that we are all human and that we need to work together to make things secure.


H. Carvey said...


Great blog!

Sloth - I've seen a lot of IT guys who struggle with not having the time to do what they need to do, and do it right. I've also worked with IT guys who have stated that they have no intention of learning anything new.

I'd like to throw this out without being seen as too much of a shameless plug. I have a new book coming out next month, "Windows Forensic Analysis". It covers live and post-mortem analysis of Windows systems. I've used that material to put together a workshop through my employer. The idea of the whole thing is to somehow get the necessary knowledge in the hands of the IT guys. One of the greatest obstacles I see to the work I do (emergency response) is a lack of tier 1/front line knowledge on the part of the IT staffs we work with.

Like Cutaway, I'm a former Marine. We had a number of "immediate actions"...things we were trained to do immediately when a problem (M-16 or M-9 jammed, M-60 jammed, etc.) occurred. The goal of the book and workshop is to train IT staffs in immediate actions for IR. Too many times, we've received calls for assistance, only to find out that the IT staff "worked on" the issue for a month or more prior to calling us.

I know from experience that with the right tools and knowledge, those "slothful" IT guys will have a much better reaction time, and the inevitable incidents will be better understood and resolved.



Andy, ITGuy said...

Great point Haran. Too often the lack of understanding (whether from apathy or lack of training) is a major factor in effective incident response. I'm glad to support any effort that will help get good, affordable training in the hands of the front line guys. I hope the book does well. I'll look for it to hit the shelves soon.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.