Don't be silly
Those four things look like processes to me. What an absurd notion. Everyone knows that security is a product, not a process. Now buy this firewall. It'll put security in your network. Honest.
The SANS Institute has endorsed the idea that Internet security is partly an IQ test, acknowledging Australia’s Defense Signals Directorate for its work on how best to defend systems. The DSD’s advice was that most attacks on most networks could be defeated with just four key strategies – patching applications and always using …
The firewall will also prevent all your servers from connecting to the vendor, and receiving any software updates. So when your network get compromised, all the wonks who run the firewall can blame it on the vendor, for having shonky server software, and thus keep their jobs!
Sure, I agree with the "very minimum that should be required for someone administering security to actually keep their job" suggestion, but it's still too complex for the general public. As an industry, we've signally failed to make computers operable by the masses. Look at cars; people can drive them, even old and daft people; hardly anybody knows what goes on under the bonnet but they're well-enough designed that most people don't need to. The home PC industry is still back in the Model-T Ford days, when everyone had to know how to change a spark-plug and crank the engine to start it themselves, we really have not managed to make them simple enough for the non-expert to use.
Back in that day though people were a tad more proactive about knowledge. The drivers would learn how to change a tire or check oil etc because it was how society was in a way. We lost that somewhere.
People expect computers to work like a toaster yet do not want to even make the attempt to apply common sense to it. If for example you went to make toast and your toaster suddenly talked to you and said "if you toast with x brand bread only" that x brand bread would pay you 50 cents a slice, they would check their meds or verify what was drunk the night before. But when it comes via email, it must be true they assume.
The biggest risk to security is the user plain and simple. Yes admins can try as they like to lock it down and take these basic steps (they best be) but alas users will always want to show the guy next door the file they got at home that allows them to chase the ball with the mouse as cats on bicycles ride across the screen, and they will go to great lengths to make it happen and bypass security.
Hold people accountable and if they get viri or malware etc start docking pay or handing out pink slips, make training more accessible, and explain it to them without the alpha geek method or IT attitude and maybe things will get better. A good number of these poor sods were tossed at a computer later in life and told basically "figure it out, it is just a very complex calculator".
Until the user is taught and comprehends the whole security game is just a war with a potential front line breach in every cubicle. Proper security is great, yes by all means it should be done and admins should not "be stupid" but alas it has to also roll down hill and apply to users also.
Yes, we need user education. It's not entirely the users' fault they don't get educated, though. Part of why this isn't happening is marketeering, and you know who's best in that field, though honesty bid me say far from the only ones. A certain other big one did a lot more to secure the foundations of their software, though. But anyway.
"Intuitive" software simply sells better, whether it actually delivers on that promise or not. And the predictable result is that nobody actually gets educated any longer. "No need." With again predictable results. How long has it been since you got a cogent email from an "average user"?
The main downside to this with regard to fixing the situation is that people no longer want to "be educated" both because the education's been so denigrating and because they've been told for so long there's no need. Which turns out to've been false. Ouch.
But education is not the end of it. There's also tools. I mean if you expect people to use them then you might as well make sure they both do something useful and are more than remotely usable. And, well, they're lacking.
Heard the term "goober with firewall"? That's a term for instances in the steady stream of complaints from people who've just installed a "firewall" package and are now complaining they're "being hacked" by, well, things like those very suspicious replies coming in from port 80. Really. I've seen enough of it I'm very glad I'm not in first line support. But the main point is that this sort of "security" software seems more bent on generating scary popups with warnings that the intended user cannot be expected to understand nevermind deal with properly.
The other extreme is not giving the information. But somehow the vaguely alarming popups were kept. I'm looking at you, redmond's "security center", though again far from the only one. Since redmond rarely throws anything away (click long enough and you'll find the '95 edition IP address configuration menus, it's just that every edition adds another "easier" (==more useless) layer on top, hiding the previous failure under a button labeled "advanced", that equally well might've been labeled "beware of the leopard"), their software gets more confusing with each version, not less. And when they do throw things away the replacements are shinier, much more cpu intensive and memory hungry, and not actually better. Just somewhat different.*
Bottom line, I'm saying you can't have security with an uneducated user but neither with an unsecurable** system. And we have both. Prepare for trouble....
On that note, sans is on the wrong track. Security an IQ test? Well computing is for smrt peeps so all peeps in computing are smrt. That sort of reasoning. Thank you ever so much for that wisdom.
* A bit like linux replacing ifconfig with at least two successions of incompatible-with-everything-else-and-themselves replacements, because they couldn't be arsed to fix the (obvious, shameful) bugs in ifconfig itself. Where a certain other system did the latter, leading to lots less confusion and more interop. IE, redmond certainly isn't the only one to get this horribly wrong. They are a monopolist, though, so their failures impact many, many more people.
** Slapping on patch after patch and various 3rd party tools because the underlying system is so hopelessly bad is necessary but insufficient for that particular system. The obvious conclusion should be to ditch it and build a better system. Despite already having such systems around, that one company seems utterly unable to do it, next to, for at least a decade, entirely unwilling to even try. To me that's criminal negligence taken so far as to wrap around several times. No wonder they get away with it.
Well, I guess that I come into that category but being old means that I do know what goes on under the bonnet (hood to you Merkins) because I had to in my earlier years. The analogy with cars (automobiles) breaks down though because when the number of users became great enough, and there were mounting safety problems i.e. deaths and injuries, the authorities introduced compulsory assessment of driving skills. In the UK it was in, from memory, 1935. (No, I am not quite that old.) The answer was not to make cars uncrashable.
So a true analogy with cars should mean that now there are a huge number of interconnected computers then for the safety of others, never mind the safety of the owner, a form of assessment of computer skills should be a prerequisite for operating anything other than a stand-alone computer not connected to any type of network.
"old and daft": Age used to be associated with experience and caution. Perhaps I can spoil the youth-self-stroking by pointing out that mainly "youth" write the broken software, write malicicous software and download malicious software with their latest-discovered "free" app..
Ancient, embarrassed memory reminds me that i was once just a callow "youth" (actually not that long ago) who did incredibly silly things in the name of security and cleverness. My younger and bolder colleauges still do. Car analogy still good: younger drivers are so good that the insurance companies charge them far higher premiums to reward their better skills, intelligence and knowledge.
As others have said: the simple things generally are most effective with least effort or irritating side effects; too much basic software in Linux and Windows is broken and is patched, hidden under a YAG (Yet Another GUI) or worked around rather than being rewritten at the point of failure. In addition, very few firms write for the end user; Linux authors especially tend to write for themselves, out of a depth of inexperience of real world users and just assume the end user will adapt to the tool or be happy to wait for the possible fix. Windows expects to hide behind YAG.
If a firm does make serious attempts to design around the user, the system is derided by the ignorati who pretend to be technical because they can spout some misused, misunderstood jargon and spurious figures showing how fast their favourite chip/gadget/download app is.
Of course, end users need some training. But where firms such as Apple score is, they design consistent interfaces for real people whose life is not in computing, minimising the training needed; yet, if you really want to play with your system at the most dangerous and deepest level it is all there for you via the terminal app. or Xterms (OS X of course, not the consumer items). Again, like a decent car: with some basic training, jump in and drive; with more curiosity, lift the bonnet and tinker (though that is ever less of an opton with modern cars. Thiought: why are the "geeks" of The Register not jumping up and down with rage at the hidden and unreachable electronics and programmes in their cars, compared to the old ones where a big hammer, screwdriver and wrench were enough?
But in order to progress from the Model-T we have ended up with mandatory insurance and a driving test.
If you had to show some level of competency before being allowed to take your shiny new machine for a spin on the Information Super Highway a lot of these problems would vanish.
"As an industry, we've signally failed to make computers operable by the masses".
Yes, not by any means a new insight but still a profoundly important one. To my mind, we are seeing the downside of (as usual) trying to have one's cake and eat it. The programmable computer was a huge breakthrough in many ways, but by its very nature it was NOT amenable to being sold as a mass-market consumer product. So up popped companies like Apple and Microsoft (in that order, please note!) to commoditise the computer. They did this by adding very complex, fragile, error-prone multimedia user interfaces and encouraging the growth of mass-market consumer applications such as music, video, interactive games, and most recently social networking.
Under the surface, your PC or iPhone or whatever is an almost unbelievably powerful and flexible general-purpose computer; but on the surface it is a flashily presented entertainment device (usually encased in shiny white, black, or rainbow plastic). No one is prepared to pick up the very high costs of making such a computer secure; but everyone and his brother wants a share of the massive profits that can be made from selling huge piles of them. As of now (for all values of "now") the top priority is NOT improving security, but making them ever flashier and more fascinating, while spending the absolute bare rock bottom minimum on security.
Really, you agree that application whitelisting should be a "minimum" even in a corporate environment? I've been a BOFH for quite a while and I don't know a single company that's managed to put that in place successfully. Since you're all for it, I assume you have it all wrapped up. Let me get my coat, I want to come see your setup.
Who needs common sense when you can buy a cure all? After an insistent "THERE ARE THREATS" popup from the Nortons that came bundled with my laptop, I had a look at the "threat map" it displays, showing the world as a bunch of winking pixels suggesting where these threats might be, with a "live" ticker of various malware below - not so live since wifi was off. It'll happily list the various cities on each continent and number of "threats" currently in each, painting a picture of a world of moustachioed villains waiting to kick your virtual door in. Funny thing is, it always ramps this up just about the time the subscription's a couple of months from running out.
I do wonder how much effort the antivirus bunch put into combating "threats" and how much they put into creating Star Trek style pseudo functional marketing interfaces designed to persuade you the (vastly) overpriced subscription is all that stands between you and the gates of Hell. But then again try selling a box with a piece of paper inside saying "use your brains" probably wouldn't raise enough dosh for that second villa in Spain.
It's hard for the average casual user to know what constitutes common sense when Microsoft spend so much time making things so supposedly easy then flagging even trivial problems up with boxes filled with red exclamation marks and inexplicable error codes. It gives users The Fear and encourages them to take the most pain free path from A to B, dismissing serious security warnings just as quickly as "missing driver" errors, simply because they don't understand the difference.
Plenty of admins don't help; IT at my girlfriends bit of uk.gov felt an appropriate response to her request for a copy of a basic graphics editor and Notepad++ was to give her admin rights in perpetuity, something they apparently hand out fairly freely as its less hassle than getting an application approved for installation - that's two of the four down at a stroke. If those who should know better don't use their nouse, how can anyone else be expected to?
I'd throw in the use of mandatory access control (MAC) as pretty basic to any strategy.
Yes, it's a pain in the bum, but in the end it stops stuff getting out of hand. Individual applications and OS components may be compromised, but the flow-on effect is restricted to that application or component only.
SELinux from the NSA is the MAC system I'm most familiar with and for production systems it's pretty damned good.
Throw in a touch of process separation using the original Intel 'ring' security model and it's all pretty sweet. It's just a pity that Linux & Windows don't implement that at all, or only in the most basic fashion.
The problem here is that while "the latest version of XYZ application" might have the security fixes to last years bugs, it also has lots of brand new features that potentially introduce all sorts of new holes.
The approach of having all the latest fixes applied to a more stable version of the SW seems much more sensible.
Hire a "chef" as in * or failing that a real one. That way you'll at least be having a healthy lunch, if not a free one.
Joking aside, picking the right people for the job is management's job (and not HR's). If they don't know who to pick, then arguably they are not the right people for their job. Not so?
* http://forums.theregister.co.uk/post/1211989
I've found the only thing that is 'common' about 'common sense' is that everybody has a completely different idea as to what it is.
The application of 'common sense' usually brings more arguments and more trouble.
It's common sense that if you spend loads of dosh on security products then you are safe. Money buys everything and anything - sounds reasonable, doesn't it.
If all it required was common sense then people wouldn't need a huge sign saying
'Just don't effing click on everything you see'
Secure and Simple computing
That is an oxymoron. It always was a bit like Ford saying ignore the pedal in the middle if it slows you down and the same for those red light thingies.
However the fact that people are not prepared to learn how to make their PC's secure is a gift to the thieves on the supply side of the software as well as those more commonly recognised as thieves.
The logic and methods required to make a PC safe(r) mirror exactly the requirements of most organisations and actually getting your head round one makes the other transparent. And vice versa - almost every organisation with shit PC security (so they can get on with work without worrying about trivia like security) is probably being drained of resources.
Apples appstore approach changes the paradigm by draining your resources before the app gets to the computer and may be able to recover a rogue app but it wont be long before we get to find out for sure.
But if you want your computing to be secure learn how to do it - its a life lesson only an idiot would ignore.
> someone administering security to actually keep their job
It's not down to the "someone" to ensure this happens. It's down to whoever controls that "someone"'s work schedule. The person who says to the project manager "No, we can't build your test environments this week, we have pressing security updates that MUST be installed". Or who says to the CFO "Cutting the headcount is not an option as we then can't keep our security measures up to date in a timely manner."
The point being that too many non-IT people are allowed to put too much pressure on the "someone" to do IMMEDIATE work rather than IMPORTANT work for their narrow goals. Once you can resolve that conflict there is the possibility that "someone" will be able to keep their IT security tight. Though there's nothing they can do to prevent all the other security lapses in the organisation
Our departments computer admin was stopped because there was no budget (public sector). My boss told me that I had to do it on top of the job that I am paid to do.
I know nothing about computer security or administration.
Many of our applications that we all use are out of date, i.e. a later version costs money and therefore we can't have it. I have a budget of zero for the next year at least.
I don't have admin rights or access to about half of the computers.
Users typically purchase their own software with their own budget and must be allowed to install it for network use. I.e. on a server. I don't know who half the users are and am not allowed to find out because of privacy bureaucracy bullshit. (I'm sure I could find out if I broke the conditions of my employment)
I do not have sufficient status to be allowed to attend the meeting where these policies are decided. Making a fuss is the sure way to prove that you are not capable of making do and to be promoted from the voluntary to the compulsory redundancy list.
Since I am "responsible" for computer security, perhaps when our site gets hacked and we loose a load of data you should sack me because it is clearly my stupidity that caused it.
Solutions?
Find a new job at a firm which has management which is not quite as stupid as the management at your current place of employment. Then sit back and wait for the explosion at your old place.
I was once briefly (very briefly) employed at a firm even more screwed up than yours. I pointed out to management exactly where the problems were; they didn't listen. I got a new job within 60 days of getting that one because I _really_ didn't want to be around when things blew up. Three months after I left, almost to the day, there were significant problems at the old site, every one of which was due to one of the failings I'd noted, in writing, to management, which _STILL WERE NOT FIXED_. They got things running again (never did figure out who'd hit them) and less than a year later were hit AGAIN, same problems, STILL NOT FIXED.
Sigh.
In that situation, I would write a 'Secutity Audit' documenting the failings, and explaining the necessary remedial steps. There's no need to kick up a fuss, just make it big enough and thick enough that it falls under 'tl;dr'. And then, when the inevitable happens, I'd point to the page in my report and say 'I warned you', and cross my fingers that my manger took the fall not me.
Not really a solution but a suggestion.
Rule 1
Responsibility without *authority* (which includes being in the meeting where changes are being decided *without* including the impact on security) is *meaningless*.
This being some kind of govt (local or central should not matter too much) get out your job description (or get it from HR who should have a copy on file) and read it thoroughly.
Ask HR what the position is on what happens if a manager asks you to do something you're not trained and/or not qualified for.
Depending on the outcome notify your manager (and HR) in writing (and I would suggest take a hard copy for yourself to avoid any "amnesia" later on) stating you are not qualified to handle this task, have had no training to do so and lack necessary tools (IE PC access rights, passwords) to do the job . You request you either have training arranged for you (how is their problem) to give you the tools and skills or refuse to have anything to do with this.
Your manager has basically bullied you into doing this. If they told you "Hers a patient, perform a heart transplant on them" you wouldn't think twice about refusing them, would you?
How they respond will tell you a lot about if they are simply an under pressure manager or something more malignant.
I'm with James on this one. Just get the heck out of there.
If you feel like going the legal way you could simply refuse to do all the extra stuff that's not in your job description on the grounds of 1) not being paid for it, 2) not having the requisite skills, 3) not having the means either, and of course 4) the policy disconnect. I actually don't know but I imagine a good workplace lawyer could take them for a nice little song and dance. But I don't image the hassle is worth it. In the end you'll end up in a hostile workplace meaning that you'll want to get out anyway.
So I wouldn't bother beyond getting myself a new job. I learned the hard way that fighting gets you burned out and that does long-lasting damage to your career--to the point that I no longer get hired by anyone. Just get out. Run away. Get a new job while you still can. Leave these tossers to implode all by themselves. Staying on is a losing game, any way you look at it.
Leaving early and popping over to the employment office today is a good start. Go.
Always using the latest version of an app will mean numerous crashes and bugs. And, even if it does work reliably, no-one will be able to use it without retraining because it will have some new, wacko interface that makes no sense at all.
After a brief encounter with KDE4 I definitely needed a new keyboard. Worse, I found that I couldn't go back to KDE3.5, the only option being to roll-back the entire distro. So much for Microsoft imposing unresonable restrictions, or forcing the use of stuff which is broke.
I'm a Linux user, myself, but I've had good results with convincing my friends and family to replace their Windows PCs with products from Apple. I could never get them to keep their Windows systems patched and virus signatures up to date, and I could never stop them from clicking on the most ridiculous attachments. Then there were the drive-by downloads from banner ads. Once they switched to Macs, the problems just went away and did not come back. I can't imagine that they all got smarter. I'm surprised that SANS didn't include a recommendation to stay away from those easily infected Windows boxes as a one-step security solution.