Goldilocks does security
When I was a small child, I loved the story of Goldilocks and the Three Bears. In case you’re not familiar with the story, the relevance to security is that Goldilocks chooses things that are not too little, and not too big, but are “just right”.
Some Security Solutions are 'Too Big'
Some security solutions are very much “too big”. These use draconian controls that severely limit the ability of people to do their work, and they tend to be created by people who think that security is more important than running the business and satisfying customers.
One example that I came across in a very large organization involved sales people, who needed to share confidential documents with customers. The organization created a very secure file sharing service to enable this. The service worked well for existing customers, but it took two full weeks to review the credentials of every new customer and create the secure account required. Naturally, sales people didn’t want to wait two full weeks before they could start communicating with potential new customers, and the organisation probably couldn’t afford for them to wait that long to cement the new relationship either. So the sales staff did the obvious thing. They used freely available public file sharing services to share documents, while they were waiting for the highly secure authorized service to be configured. Paradoxically, the result of implementing a highly secure file sharing service was that sensitive documents were placed on much less secure public file sharing sites. A technically less secure solution, that would actually work in the time frame needed by the business, would certainly have proved more secure in practice.
Another example is organizations that insisted on staff using complex passwords that had to be changed every 30 days. Predictably, this resulted in people writing their passwords on notes that they kept by the keyboard.
I have seen similar situations in many other organizations. Security people see risk, but don’t fully understand the business process. They implement security controls that are fully capable of mitigating risk, but that don’t work for the business; and then business people ignore the controls so that they can get on with their work. The result is invariably that organizations are less secure than they would have been if the controls had been less restrictive in the first place.
Some Security Solutions are 'Too Small'
Some security solutions are “too small”. They fail to implement obvious and simple controls and so expose the organization to significant risk of an embarrassing security incident.
For example, we all know that, far too often, ransomware attacks succeed because readily available security patches have not been installed. Attacks may exploit vulnerabilities for which a patch was released many months earlier simply because the organizations concerned don’t have a basic patch management process to ensure that security patches are installed in a timely manner.
Another example is what can happen when organizations fail to restrict what can be connected to their network. Some of them have suffered major denial of service attacks, launched by internet connected devices such as light bulbs and microwave ovens. Staff had installed these inside the company firewall, because there was no restriction on what could be connected to the network.
Doing the 'bear' minimum
There are many different frameworks to help organizations manage their security, but I really like the UK government Cyber Essentials Scheme. This is very simple, and recommends these five key controls that every organization should implement:
- Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
- Access control – ensuring only those who should have access to systems to have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
If I had written the list then it would have included one or two “people” related controls, as well as these technology and process controls. For example, “Deliver regular security awareness training to all staff”. Nevertheless, if every organization got these five things right then we would see far fewer security breaches.
Getting Security Just Right
It needn’t be that difficult to do more than the bare minimum, once you grasp that security is not simply a technical issue; when you realise that security is all about managing risk. Think about the benefits, as well as the risks, of what you are planning. Remember that you don’t need to implement every conceivable technical control, but you do need to protect yourself against things that are likely to cause you harm. You need to think about what they are and to accept that they vary. An acceptable risk in one context can be an unmitigated disaster in another.
And do try to avoid taking high risks when the benefits are low. This applies equally to security in the home as in the office. You may have very good reasons for using an internet-connected toothbrush, but do the benefits really outweigh the risks of introducing an insecure device to your network? I am not making the judgement here, but you need to. I am not saying that nobody should have an internet-connected toothbrush, that depends on your understanding of the benefits and the risks. I am saying you need to make this judgement, or you may find yourself accepting more and more risk with no corresponding benefit.
Similarly, if you are responsible for security policy in a corporate environment, try to create rules that actually work for real people. Don’t tell your sales people that they can’t talk to customers for two weeks. It won’t work. Do make sure that you understand the costs, benefits and risks of every control you implement, and try to be like Goldilocks. Not too much security, not too little, but just right.
Three bears image: thecmn
Site hazards image: Stuart Rance
Toy padlock image: Steve Johnson