The 10 Worst Security Practices

Security specialists are constantly on the lookout for proven methods we can replicate to keep our networks and data safe. Independent consultants provide an outsider's perspective and carry with them the aggregate experience of helping hundreds of clients. But not every practice consultants see in the field is a good one--in fact, they encounter some stunningly bad ideas. Because sometimes one whopper of a mistake can be more instructive than a binder's worth of best practices, we interviewed more than a dozen security consultants to arrive at our 10 worst practices list. See which ones apply to you, then check our links for advice on how to do things better.

If you find a security hole, buy a product to fix it. There's a prevailing, and dangerous, belief among information security pros that for every problem, there is a tool. As long as we have the right technologies in place--antivirus, antispam, firewall, patch manager, VPN, PKI, IPS, IDS--we feel safe.

Trouble is, products are only as good as the person who configures and monitors them. "A tool is there to assist, not do the job for you," says John Pironti, a security consultant at Unisys. "Always remember that you are at least 50 percent smarter than computers. Computers know 'yes' and 'no,' but we know 'maybe.' We can evaluate more variables because there are only so many you can put into a tool."

Consider intrusion-detection and intrusion-prevention systems. They don't work well out of the box. You must teach them what to look for, and once they're running, you must monitor their logs and look for attack patterns. Even some IT shops that do a great job configuring IDS and IPS products stumble because they don't adequately monitor the voluminous log reports generated by these tools."The problem is that it's no one's job to do this," says Mark Mellis, a consultant at SystemExperts Corp., a Sudbury, Mass., security boutique. "These products are noisy. They generate large amounts of log information. The only time anyone looks at them is when the disk fills up, and then a lot of data is thrown away."

That's a mistake, Mellis and his colleagues say, because a careful log reading--even a quick scan--can reveal a lot about how systems run and which attacks are being attempted. From there, you can set your tools to look for patterns and raise alarms. It's a constant tuning process.

Relying too heavily on tools can also lead to technology overkill, which may contribute to losing sight of the big picture. If you have a spam problem, a strong filter may seem obvious. But if the tool is too aggressive, it will generate false positives--too many of those and your users will circumvent corporate e-mail.

Users often disable desktop firewall functions for the same reason. They get annoyed when a pop-up message issues a warning as they try to download a utility or an MP3 file, and they disable the alerts. The lesson, consultants say, is that data security is more than a checklist of products. "Security isn't something that you buy, it's something you do," Mellis says.

• What to do instead: If you're awash in log data, consider a SIM like GuardedNet's neuSecure. (We took version 3.0 for a Test Run.)Ignore the human element. Once you accept that security is more a behavioral problem than a tech problem, you begin to understand how important it is to create and enforce usage policies.

"What's the current problem that everyone is talking about? Phishing," says Eric Maiwald, a security analyst at the Burton Group. "Phishing is about social engineering. It's about lying and getting users to do something I want them to do, like give me personal information. What can a product do to prevent this? Not a heck of a lot. It's about awareness."

Corporate policy sits at the intersection of technology and employee behavior. Policy development should be a team effort between business and IT leaders. Sure, some policies are mostly technical (restricting a PC based on its configuration), but other policies are purely behavioral (don't write your password on a yellow sticky note). Both are equally important.

• What to do instead: If you don't have a security policy, write one, and make sure everyone in your organization reads it. See "Got Discipline?". And if you think you don't need a policy, security expert Wayne Rash begs to differ.

"Full speed ahead and damn the torpedoes" is our motto. Some 43 percent of respondents to our Strategic Deployment Survey said their companies didn't have security policies. Stuart McIrvine, director of corporate security strategy at IBM, thinks he knows why. "They make decisions incident by incident," says McIrvine, who heads an eight-person team that oversees IBM's security strategy across its product portfolio. "They don't have a comprehensive risk-management strategy."

Aggravating this problem is the fact that data security has always been an IT function, and technical expertise is considered paramount. As a result, crossover disciplines--HR, legal and training--are considered someone else's job, says Doug Landoll, a consultant at Veridyn, an Austin, Texas, security boutique. Technologists are trained to fix problems using technology.

Fortunately, a corporate risk-management strategy can help fill the security crevices between various IT disciplines. Many system admins, for example, don't do any security testing when they roll out new servers, says Chris Wysopal, director of development for Symantec's global services division, formerly @stake. "They're not taking the extra step and saying, 'Has what I put in place compromised the security of the network?'" he says. For example, the use of default passwords on one system may provide access to other systems.

Also, some of the most important security problems can be solved using a cross-disciplinary approach. "I can solve many Windows problems by changing access control lists on my Cisco router," Mellis says.A corporate risk-management strategy gives all interested parties a list of priorities. If you're an online retailer and five servers generate $17 million per day in revenue, you may do more to safeguard those servers than you would to protect, say, the employee portal, McIrvine says. And Sanford Sherizen, president of Data Security Systems in Natick, Mass., suggests requiring a security impact statement prior to any major system enhancements or workplace changes.

• What to do instead: Put together a cross-discipline team to determine danger zones for your organization. See "Calculating an IT Risk Management Strategy,".

To run a tight ship, take an authoritarian approach. A favorite word among infosecurity managers is, "No!" (That's right, with the exclamation point.) Some IT departments have developed a reputation as the group that perpetually dictates what you can't do, in the name of security.

But this rep can be detrimental over time. "Security people have a tendency to turn off other people, not only in the user population but in management," Maiwald says. "If these folks say no enough times, they will get marginalized."

Kelly Hansen, CEO of Chicago security consultancy Neohapsis, says that saying no is a lazy way out. "A lot of times the no is out of fear," says Hansen, who writes the Secure Enterprise "Lunch With Kelly" column (see page 6). "You don't think it's going to work, you don't have the time to investigate, and it's easier to just say no. That earns you a reputation that you're not a business enabler but a fly in the ointment."One infosec department that Hansen works with has developed a "Just Say Yes" program. If a business manager comes to a security admin to ask about installing a wireless AP (access point) in a sensitive area of the building, for instance, the admin will now more likely say, "I understand the request and it sounds great. Here's a letter outlining the risks. Would you be willing to sign off on it?" If the business manager sees pitfalls spelled out, he or she is more likely to ask the admin for recommendations, and take that advice. This approach makes the business manager and the security admin joint stakeholders in solving a problem.

Indeed, we should view security measures not as inhibitors but as enablers. "What does security allow you to do that you couldn't do before? How does it open a new area of the business?" Maiwald says.

• What to do instead: An effective way to get new business projects off the ground while maintaining security is to put a change-management system in place; see our 11-step program.

Make access privileges an all or nothing proposition. On many enterprise networks, once you're granted access with a user name and password, you can roam freely. Never mind that you're a business partner who only needs access to one internal Web server; your digital passport is valid across the land and the checkpoint guards wave you through.

When internal systems have no authorization or access controls, you're risking disaster. "Once an attacker gets inside, or an insider turns bad, the game is totally over," Wysopal says. "Some compartmentalization of the internal network can make it so you're not just one vulnerability away from total compromise."The danger is especially acute when you consider how many organizations have or are deploying wireless LANs. Many still don't configure their APs to restrict access to employees, effectively allowing anyone within range onto the network. Just take your laptop down to New York's financial district or midtown and see how many open APs there are, Mellis says.

It's worth the time and labor investment to give workers and guests just enough access to do their jobs--and no more. And don't forget to include system admins in this model. They, too, should not be granted carte blanche access.

Once you centralize ID management, adopt other sound security practices, like tracking login failures to reveal when someone is trying to systematically break in using different password combinations, says Dick Mackey, a principal at SystemExperts. Also, make it a habit to check that unused network services are turned off, and that users who leave the company lose their access rights as soon as possible.

• What to do instead: For our how-to on preventing unauthorized access, see "Fortifying Your Network Access Control".

Treat all data as equal. In the scheme of things, a wholesale network intrusion isn't nearly as likely as malicious access to selective bits of information. Compartmentalization is one way to prevent unauthorized access to data."A lot of data leaks are because companies don't classify their data," says Bill Burk, CEO of Security Consulting in St. John, New Brunswick. "The government is great at that: top secret, secret, confidential and private, straight down to the public domain."

Classification governs both digital and printed files. "A strategic marketing plan for next year shouldn't be lying around on someone's desk," Burk says.

• What to do instead: See our seven-step plan for classifying and protecting data.

Back up everything, every night. Since the Sept. 11 terrorist attacks, enterprises have invested billions to create so-called hot backup sites that house a mirror image of corporate data at a separate geographic location. This way, you can still conduct business even if your main data center disappears, either because of a physical disaster or a cyber attack.

Trouble is, too many IT shops unwittingly introduced security risks as they built these backups sites, Pironti says. Often, mirroring is a nightly automated occurrence. All data--good and bad--is replicated and no one checks for file integrity.The implications can be dire. If an attack is already under way at the moment files are replicated, you risk spreading the attack to your hot site.

"I've experienced real incidents of this," Pironti says. "An attacker will lay code down for a couple of weeks, let you back up, and as soon as you bring up the second facility, the attacker goes in. So, first Site A goes down, and when you bring up Site B, the same thing happens."

He recommends at least two fixes. First, all data should be scanned and analyzed before it is passed from Site A to Site B. Second, consider using different hardware platforms and operating systems to build the hot site, to protect against viruses and Trojans written specifically for your main platforms.

• What to do instead: We issued an RFP for a disaster-recovery system that includes data protection with teeth; see "Natural Selection,".

Perform audits and penetration tests infrequently, and in-house. As you build out your IT infrastructure and upgrade OSs and applications, the complexion of your network can change dramatically. Upgrades and patches are so frequent, and IT tasks so specialized, that you can't wait two years between audits, Burk says. Audits must be performed at least annually, if not twice a year, he says. Vulnerability analyses and penetration tests must occur even more often, perhaps quarterly.Your security budget should also include funds to hire a third party to handle these services, consultants say. "It's a common mistake to say, 'This guy is good at this, let him check his work,'" Landoll says. "You don't check your own work. If a carpenter is building my house, I call an inspector to check his work."

• What to do instead: Do-it-yourselfers, see "How to Perform a Security Audit,".

Endpoints for everyone. Despite security expert preaching, to focus less on protecting the perimeter and more on specific IT assets, the typical enterprise still resembles the proverbial piece of fruit candy: "Hard and crunchy on the outside, soft and gooey in the center," Mellis says.

One reason is that companies are letting in more temporary and transient users. We set up SSL VPNs so that workers can get into the network from their home computers or from a trade-show kiosk; we provide wireless connections so that visiting consultants and photocopier repairpeople can connect with their laptops; we give partners passwords to get into our ordering systems, to save us labor.

As we set up these connections, we make sure the pipe is secure by encrypting the data. But too often we forget that these guest PCs may not meet our standards for cleanliness. For all we know, a user who has just logged in is connecting through an unprotected hotspot on a PC that has year-old virus signatures.The answer is to create a checkpoint area that users must pass through before entering the heart of your network. "When you VPN in, you enter the untrusted part of the network first," Wysopal says. "From there, your PC is scanned and validated, and then it's allowed access to internal resources."

While you're there, configure the VPN to limit what users can do from a remote location. "Do you need access to the whole company? Should you be developing software from home? If software is a crown jewel, don't allow it," Wysopal says.

Poor password policies can also compromise security. This is a particularly tenuous balancing act. If your policies are too strict--requiring, for example, the use of both letters and numbers, eight or more characters and frequent resets--you're just begging people to write down their passwords. If you're too lax, passwords will be easily guessed. Find the right middle ground.

• What to do instead: Consider deploying a network access control system; see "Inspected/Approved: Enforcing Endpoint Network Access,".

Make sure security is highly visible, even intrusive. In-your-face security is an invitation for people to find workarounds. Take the typical morning routine: First, users log on with passwords to Windows, then the Novell server, then the salesforce application. Once connected, they get constant alerts from your desktop firewall, your spam filter, your antivirus scanner.The result? Once some users log on, they never log off, even when leaving for the evening, because it's such a pain to repeat the procedure. And many users lower the settings on desktop firewalls and scanners to the weakest level to shut them up.

For this reason, Unisys consultant Pironti advocates allowing short, easy-to-remember passwords. He uses banks as an example of where that strategy has been successful.

"Banks have been careful not to put too much on the end user," Pironti says. "Look at PIN codes. We had four digits. People in the data-security world said that four digits are not secure because they are easily compromised by random number generators, and users would probably use years and birthdays. Then why did banks do that? Because four digits is the least common denominator that the public won't have to write down."

For banks, the benefits of short passwords outweighed the risks, and today people use ATMs without thinking much about security, because they trust the banks.

Of course, the best way to hide the complexity of security is to have a unified ID management system, under which you use the same smart card to get into the front door of the building as you use to log onto your PC. No passwords, no fuss. But this approach requires close coordination between those who handle physical and digital security, and such systems can be expensive.• What to do instead: ID management can get it under control; see "Identity Crisis,".

Process and Behavior

Most of these observations are about process and behavior rather than technology. That's not to say technology isn't important. But security pros generally have a mastery of bits and bytes and how to protect them. What's often missing is a sense of the big picture and how each separate alteration to the network affects the whole.

It may be that solid security practices come only when we accept that some risk will always be present. Like a bad romance, it seems that when we try too hard to fix every problem, we create more of them.

David Joachim is group editor of the Network Computing Enterprise Architecture Group. Write to him at [email protected].0