ShmooCon 2011: The MacGyver approach to faster, more nimble security

There's no such thing as perfect security, so IT shops should focus instead on faster detection and fixes, security practitioner Richard Rushing said during ShmooCon 2011 Saturday.

WASHINGTON, D.C. -- On the surface, saying there's no way to achieve perfect IT security seems like a downer. After all, aren't we all supposed to be striving for perfection?

But Richard Rushing, senior director of information security for a large technology company, says the search for perfection distracts the community from a lot of tweaks it could be making to deal with targeted attacks more quickly and efficiently. At the ShmooCon 2011 security conference, he outlined ways to do that in a talk called "Defending against targeted attacks using duck tape, popsicle sticks and Legos."

Targeted attacks are now the focus at all levels of organization, industry, people, technology or third parties; stealing anything of value, he said. Companies spend six and seven figures a year to defend against it, to little avail. Rushing's goal was to show the value of security through imperfection by taking tools that are already in house or available in the open source community to achieve a faster, more agile defense.

He calls it the MacGyver approach. It's not perfect. But in some cases it might be better, he said.

"Working for a stalemate is the winning game right now," he said. "It's about common-sense security. There's no such thing as perfect."

More ShmooCon coverage in the Salted Hash blog

First, he suggested adopting a few good habits to live by:

  • Eliminate the FUD around security threats, because everyone suffers targeted attacks, it's ongoing and ramping up the fear creates confusion and misguided actions.
  • Have real antivirus
  • Have real IDS-IPS
  • Have real firewalls
  • Learn the art of fast patching and unpatching
  • Do away with local administrative access, which he described as "so 1990s"

When Rushing says "real" he doesn't mean the biggest, most expensive technologies money can buy. In this case, real means that when the defenses are set up, the IT shop actually pays attention to the various devices and tools. Setting them up and walking away is the opposite of what should be done.

He pointed to patch management in particular as something many companies do wrong.

"Ninety percent of the world installs the patches right on Patch Tuesday," Rushing said. "The other 10 percent have a rigorous testing process that takes up to a week because they don't want the patches to break things. The proper approach is to realize things break and get good at unpatching quickly and effectively."

Learning to quickly uninstall patches that break things means you can shorten the patch deployment process considerably because you're not wasting days on the testing process, he said.

In summary, he said the idea of total protection is dead. Instead, companies should spend time, attention and money on faster ways to detect and seal the vulnerabilities that allow for targeted attacks, "because it will never be fully fixed."

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.