Security's Everyman

Security's Everyman

Tuesday, June 12, 2007

Why IT doesn't really get security

Since I've started my new job I've there have been four (4) different occasions where members of the IT staff have given me their USB thumb drives to transfer data to. These are guys that I work with daily but I don't know them and they don't really know me. One guy even gave me a U3 drive.

Now I take all the normal precautions against getting owned this way. Autorun is disabled and I have HIPS and AV installed on my laptop. While 3 of the 4 stood by while I copied the data to their drive the other one gave me his drive and walked away. I had it for over an hour before he came back for it. Those who did stay with me weren't paying attention to what I did. I could have copied data from their drive to my laptop or copied more than they expected to their drive.

This is just a sampling of part of the problem that the average IT guy has when it comes to really understanding security. They may get some of the more obvious security concerns such as what to do to secure a router or how to properly secure data on a shared drive. They may even understand some of the risks associated with various activities, but if they continue to pass around USB keys to people that they don't really know (and walk away!) then there is a problem. I think that many IT professionals do things such as this because they figure that they can trust one another and hopefully they can, but carelessness in one area will eventually lead to more carelessness unless they are very aware of their actions.

Another problem is that many IT departments are understaffed and they are always working in crisis mode. Even if they want to implement best practices in regards to security they don't have the man hours to do so. It's patch things together and then plan on coming back to fix it later. Unfortunately too often later never comes. Then if the department isn't understaffed they have the problem of lack of communication. One department is working on an initiative and another department is working on their project and they never meet to discuss how they may affect one another. They you have 2 projects that work against each other instead of together. Any security measures that one may have could be voided by the other.

I could keep going on and on with this but I think you get the point. Security doesn't come naturally for end users or most IT guys. It's something that has to be fought for. That's our job.


Anonymous said...

I don't know. I used to be of the opinion that security in all aspects – for instance, the USB drive example – was of the utmost importance. Further, that instilling this attitude across an organization was important. As I’ve had the chance to be involved with lots of different IT organizations – from small shops, to enterprise shops, the thing I’ve come to accept is that we’ll never convince a material number of stakeholders to “think like us”. We can do training events, “interview” stakeholders, and put up security-conscious posters in the hallways. But, we’re not going to have a material impact. I think that’s just being realistic. In fact, if we did have a material impact, it would probably be net-negative for our profession, and our economy – not to mention our businesses.

Take a step back further with me… do you really think that “thinking like us” is a good thing? Does it make your life better – not knowing if you can trust anyone? Does it – in the macro sense – when applied across an entire organization – contribute in a net-positive way? If every group had a “defense-in-depth” (DiD) in mind when they did things like… share USB drives, contribute in staff meeting, help someone with their PC, or write scripts to automate stuff… (There’s a DiD component to each of those interactions) it would make life impossible. Productivity would decrease dramatically, and even Europe would start outpacing the U.S. in productivity gains.

I think security has a place – indeed an important place – as a component to your business strategy. I think a best-effort approach is important. Monitoring, and metrics – all good. And I’ll always be happy to contribute where I think it’s relevant or net-positive for me to interject some DiD-fu. Security at the perimeter– important. Relative security in terms of network infrastructure - using VLAN’s, ACLs, putting stuff that makes sense into DMZ’s, adding WAPs to guest segments, doing IDS/IPS where appropriate, AV, anti-spam, patching, maybe even antimalware and HIDS – all good things! Teaching users to try not and share USB drives… ok, but that’s pretty much where I stop. I’ll recommend that users not share USB drives. I’ll explain the risks; I’ll even come up with some numbers to support the direction. But I won’t evangelize or preach DiD to our employees and stakeholders without management consensus – because that’s a war that can’t be won. I won’t go around and lecture about how they shouldn’t to “X”, or “Y” because I’ll develop a perception-issue. I think that the “security” vision is set from the top-down, and executed from the bottom-up. If there’s no top-down direction, we execute a “best-effort” approach.

If I can’t make it seamless, or reasonably seamless, then I don’t do it. The questions that I always ask myself are this… “Will doing X increase revenue?” “Will doing X result in an anyway arguable net-positive result for the business?” “Is this a mostly real-risk, or a mostly imaginary risk? – or Is it likely that this vulnerability will exploited?” “If it were exploited, what would be the cost to recover”? If exploited, will there be a hard-dollar value associated with the loss? Or is all softnumbers, and productivity-based calculations? If the later, then it’s a no-go for my organization.

Andrew said...

Sounds to me like they need a lesson. When they hand you their thumb drive next time, kindly thank them, put it in your pocket, and take it home :)

CypherBit said...

I'm curious to know which HIPS do you have on your system(s)?

Andy, ITGuy said...

Cypherbit, I currently am running Blink from Eeye.

LonerVamp said...

Excellent post, and you hit a few nails in it. I'd post more, but I think stuff like this is best discussed further over a beer or two. :)

CypherBit said...

Thank you for the reply. eEye does make some nice software.

Keydet89 said...

Interesting post...the thing is, though, it misses a significant point...why do IT guys think this way? They do, because that's what they're paid to do. Think about it...who manages their time, gives them direction, and has a significant effect on scheduling their day?

Senior management.

If senior management made a requirement for security...say, if an intrusion occurred and senior management started asking some really tough questions about why it occurred and what happened during the response, things might be different.

Security guys are seen by the IT guys (in many cases) as having just a hammer and seeing everything as nails. This is a reaction to working in an environment where security is an afterthought, at best.

Allen Baranov, CISSP said...

I'm going to blatantly self-promote my blog because I have a post explaining my feelings on this exact issue

Essentially I agree that It guys are always in crisis mode - if they aren't then you are overstaffed. Their eyes should always been on "availability" too. It is the Security Department's job to focus on security.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.