cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

You Too Can Stink at Information Security!

Level 12

“Security? We don’t need no stinking security!”

I’ve actually heard a CTO utter words this effect. If you subscribe to a similar mindset, here are five ways you too can stink at information security.

  • Train once and never test

Policy says you and your users need to be trained once a year, so once a year is good enough. Oh, and make sure you never test the users either—it’ll only confuse them.

  • Use the same password

It just makes life so much easier. Oh, and a good place to store your single password is in your email, or on Post-It notes stuck to your monitor.

  • Patching breaks things, so don’t patch

Troubleshooting outages is a pain. If you don’t patch and you don’t look at the device in the corner, then it won’t break.

  • The firewall will protect everything on the inside

We have the firewall! The bad guys stay out, so on the inside, we can let everyone get to everything.

  • Just say no and lock EVERYTHING down

If we say no to everything, and we restrict everything, then nothing bad will happen.

OK, now it’s out of my system—the above is obviously sarcasm.

But some of you will work in places that subscribe to one or more of the above. I’ve been there. But what can YOU do? Well, it’s 2020, and information security is everyone’s responsibility. One thing I commonly emphasize with our staff is no cybersecurity tool can ever be 100% effective. To even think about approaching 100% efficacy, everyone has to play a role as the human firewall. As IT professionals, our jobs aren’t just to put the nuts and bolt in place to keep the org safe. It’s also our job to educate our staff about the impact information security has on them.

So, let’s flip the above “tips” on their head and talk about what you can do to positively affect the cyber mindsets in your organization.

Train and Test Your Users Often

Use different training methods. Our head of marketing likes to use the phrase “six to eight to resonate.” You’re trying to keep the security mindset at the front of your staff’s consciousness. In addition to frequent CBT trainings, use security incidents as a learning mechanism. One of our most effective awareness campaigns was when we gamified a phishing campaign. The winner got something small like a pair of movie tickets. This voluntary “training” activity got a significant portion of our staff to actively respond. Don’t minimize the positive effect incentives can have on your users.

Lastly, speaking of incentives, make sure you run actual simulated phishing exercises. It’s a safe way to train your users. It’s also an easy way to test the effectiveness of your InfoSec training program and let users know how important data security is to the business.

Practice Good Password Hygiene

Security pros generally agree you should use unique, complex passwords or passphrases for every service you consume. This way, when (not if) an account you’re using is compromised, the account is only busted for a single service, rather than everywhere. If you use passwords across sites, you may be susceptible to credential stuffing campaigns.

Once you get beyond a handful of sites, it’s impossible to expect your users to remember all their passwords. So, what do you do? The easiest and most effective thing to do is introduce a password management solution. Many solutions out there run as a SaaS offering. The best solutions will dramatically impact security, while simplifying operations for your users. It’s a win-win!

One final quick point before moving on: make sure someone in your org is signed up for notifications from haveibeenpwned.com. At the time of this writing, there are over 9 BILLION accounts on HIBP. This valuable free service can be an early warning sign if users in your org have been scooped up in data breaches. Additionally, SolarWinds Identity Monitor can notify you if your monitored domains or email addresses have been exposed in a data leak.

Patch Early and Often

I’m guessing I’m not alone in having worked at places afraid of applying security patches. Let’s just say if you’ve been around IT operations for a while, chances are you have battle scars from patching. Times change, and in my opinion, vendors have gotten much better at QAing their patches. Legacy issues aside, I’ll give you three reasons to patch frequently: Petya, NotPetya, and WannaCry. These three instances of ransomware caused some of the largest computer disruptions in recent memory. They were also completely preventable, as Microsoft released a patch plugging the EternalBlue vulnerability months before attacks were seen in the wild. From a business standpoint, patching makes good fiscal sense. The operational cost related to a virus can be extreme—just ask Maersk, the company projected to lose $300 million dollars from NotPetya. This doesn’t even account for the reputational risk a company can suffer from a data breach, which in many cases can be just as detrimental to the long-term vibrancy of a business.

Firewall Everywhere

If you’re breached, you want to limit the bad actors’ ability to pivot their attack from a web server to a system with financials. This technique is demonstrated with a DMZ approach. However, a traditional DMZ may not be enough, resulting in the rise of micro-segmentation over the last few years. The fun added benefit you can get with a micro-segmentation approach is as you’re limiting the attack surface, you can also handle events programmatically, like having the firewall automatically isolate a VM when a piece of malware has been observed on it.

Work With the Business to Understand the “Right” Level of Security

If you’ve read my other blog posts, you know I believe IT organizations should partner with business units. But more than a couple of us have seen InfoSec folks who just want to lock everything down to the point where running the business can be difficult. When this sort of a combative approach is taken, distrust between the units can be sowed, and shadow IT is one of the possible results.

Instead, work with the BUs to understand their needs and craft your InfoSec posture based on that. After all, an R&D team or a Dev org needs different levels of security than credit card processing, which must follow regulatory requirements. This for me was one of the most resonant messages to come out of The Phoenix Project: if you craft the security solution to fit the requirements, the business can better meet their needs, Security can still have an appropriate level of rigor, and better relationships should ensue. Win, win, win.

Security is a balancing act. We all have a role to play in cybersecurity. If you can apply these five simple information security hygiene tips, then you’re on the path towards having a secure organization, and I think we can all agree, that’s something to be thankful for.

42 Comments
MVP
MVP

Wise words.

Level 13

Nice article!  I like the sarcasm at the beginning hahaha. 

Level 13

Love the attention grabbing headline .  Thumbs up on all of these - so true.

Level 13

Thanks for the Article

Level 10

I saw a guy give a presentation on security where he said that they don't patch in their environment because it is so disruptive to their students (he is the CISO at a university). We were all appalled at that statement, as we schedule our lives around our patching activities. The other half of the presentation was another guy talking about the CyberSecurity program at that same school.

Level 8

Very nice article!

Level 12

Thank you very much!

Level 12

Unfortunately it's not an uncommon thought process. The best we can do is try to educate folks on the dangers of these approaches.

Level 12

I'm used to people calling me something else that starts with Wise...

Thanks for the complement.  😄

Level 12

I wanted to bring a bit of levity to the fact that people are still struggling with some of these concepts. It's not unusual, but as we roll into 2020, it's time for us all to put some of these bad habits behind us.

Level 12

Thank you very much. I hope it helps people out.

Level 12

Happy to share!

Level 12

I once interviewed at a company that required applicants to give a presentation, I chose password security. During the presentation, an executive said that nobody could get him to reveal his password, the idiotically said the password is his son's name and birth year. "Oh," I replied, "how old is your son? I have a daughter who's eight." The guy answers, we talk about our kids for a moment, then I said, "My daughter's name is (redacted). What's your son's name?"

After he answered I said "You just gave away your password."

Unsurprisingly, I didn't get the job.

Level 12

This is amazing on multiple levels! Good on you for teaching a room full of folks a lesson on password security and data collection.

MVP
MVP

Nice write up, thank you.

Level 12

So true, so true.

Level 12

I'm happy to share. Thanks for reading!

Level 12

Thanks! 

Yes. yeees! This is good.

However:

PRACTICE GOOD PASSWORD HYGIENE is a little bit unique in where it stands in 2020. A lot of people have not kept up with what NIST recommended, which was actually great! NIST does not recommend changing passwords anymore because it trivializes security nor making them complex in in the workplaceNew password guidelines from the US federal government via NIST

  • Remove periodic password change requirements
    This is one that legions of corporate employees, forced to create a new password every month, will surely be happy about. There have been multiple studies that have shown the requirement of frequent password changes to be counterproductive to good password security; but the industry has doggedly held on to the practice. This will remain controversial for some time, I am sure.
  • Drop the algorithmic complexity song and dance
    No more arbitrary password complexity requirements, needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, some claim these password policies can result in worse passwords.
  • Require screening of new passwords against lists of commonly used or compromised passwords

At home, you should absolutely use password generators. Something to not forget is *AT HOME*. It's just as important to remember services like Identity Protection  (infoarmor) for home and manage password generation as well.

If you were in the room with me as said this, I would give you a high five and yell "I'm with you 100%" at the top of my lungs.

Paul

Level 12

You are 100% on point with your recommendations designerfx​! Thanks for adding to the conversation!

Level 14

Very good write up. Thank you!

Level 12

Love it! Thanks Paul!

Level 12

Appreciate the kind words! Let's keep spreading this security message!

Level 12

Thanks for the write up.

Level 12

Thanks for reading up.

MVP
MVP

Nice article. I've been at this for a very long time (IT security, not writing this comment) and remember when several of those thoughts were considered true throughout the industry. i.e. patching. Ahhh, the old days when you examined what a patch did and if it wasn't fixing something that you actually experienced it got nixed - back before everything had a vulnerability and all systems were under attack.

The shame is that many professionals, at all levels, haven't kept abreast of how things are changing (the point of your article I believe) and still hold to these ideas.

What I really, really want (sarcasm) is to stink so badly that I get fired with one of those golden parachutes where they give you $30 Million dollars to leave the company - Now HOW Does One Negotiate that?

Level 12

Excellent article, loved the title!

Level 12

I think what you're talking about Richard was definitely part of my mindset. Some have not evolved and with the state of the world, that's no longer an option...  I think even more than that however, was the fact that security needs to be everyone's responsibility these days. This is something we preach throughout or organization, from the CEO down to the new hire who's going through orientation, we all have a role to play in being secure.

Frankly, if you have a moderately mature InfoSec program, this post probably isn't for you. HOWEVER, if you need to get started on a program, IMHO these are the easiest and most impactful things that you can do immediately to begin taking a stronger posture.

Level 12

Thanks!

The published title is the P.C. version.  😉

Level 9

Great article and dialogue.  How are people screening passwords to be fully compliant with the new NIST standard?

Thanks, Tom

Level 12

Fantastic question! I've been hesitant to pay for a solution, but also struggled to come up with something in house. I'm hopeful we get some good responses here!

Thanks Tom!

Level 20

Many companies security is like an egg... hard on the outside but soft and squishy on the inside.  Insider threat is a big part of current day security architecture.

Level 12

100%!! 

Other than segmentation/micro-segmentation, and an effective DLP, what are you seeing out there to combat this threat?

Thanks for reading!

Level 12

Frequent password change policies never made sense to me. I'm glad to see NIST recognize this doesn't improve security.
At my university, they stored all passwords anybody had ever used on the system they had at the time. You had to have an entirely unique password at each change. This was incredibly idiotic!

Regarding oil, it's expensive to drill a new well. It's far more expensive to do offshore. So why is anyone surprised that some of the leaders in AI are selling algorithms used by the petroleum industry?

Level 12

I completely agree with you on frequent password changes. I’m guessing you saw this when it came out. http://www.bbc.com/news/technology-40875534

Can you expand on your oil comments? I think I missed something....

cheers

Level 13

Great title.  So true

Level 12

Thank you! I'm glad you found the content relevant, and it was a ton of fun to write. 

Level 8

AWESOME!

Especially the part about user training and simulation. scott.driver  I'm curious, do you have anything you use in particular? I'm very familiar with Wombat/PSAT but would be curious as to others experiences.

Level 12

Thank you andre. I'm humbled by the responses to this post.

We use knowbe4 for both education and phishing simulations. Security Awareness Training | KnowBe4  They're good, not great, but it works for us.

I know Duo has a free service. I haven't used their phishing simulation, but I really like their mfa, so...

I'd say that the more important part is that you're doing it, which it seems like you are. We've found trainings combined with our simulations to be a really effective way to keep staff attentive.

Aside... I searched for Wombat and Phish... and google gave me a video of my favorite band! lol  (horrible song though) https://www.google.com/search?q=wombat%20phish

Level 12

thanks for the post ! !

Level 12

Thanks for reading along!

About the Author
https://virtualvt.wordpress.com/ https://twitter.com/VTsnowboarder42 https://www.linkedin.com/in/scott-driver42/