With security, prayer is not the answer

To apply the right countermeasures, you need hard data about the attacks you face and the weaknesses in your defenses, not just blind faith

Are you a mathematician or a priest?

What I mean: I'm always amazed by the lack of real data brought to bear in computer security and how people push agendas that have little basis in fact. It can leave an old computer security pro like me disillusioned.

[ InfoWorld presents the Bossies 2013, the best open source software for security, data centers, clouds, and more. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

We're told that buying the latest and greatest security product will be the answer to all our prayers. We buy it and implement it -- yet it doesn't stop the bad guys from breaking in.

If you want to become a better computer security practitioner, use your own data to make better decisions. It's there for the taking.

I'm surprised at how many companies don't understand how they've been compromised. You can talk to almost any company's computer security employees and ask, "What is the No. 1 way your company is most exploited?" but rarely will you get the right answer. The CIO or CSO won't know. And if the very people in charge of your defense don't understand how to rank threats by risk level, how can they fight them effectively?

Instead, you usually have one or more influential employees (and their preferred vendors) pushing solutions that sound great, but rarely address big problems head-on. When I confront computer security employees with what's really wrong and how to fight it better, I'm often surprised how many leave the meeting hearing something else.

For example, I'll say: "Your No. 1 problem is unpatched software." They will say: "Yes, I agree." Then they will claim they have patching under control. Or they will say, "No problem, we're deploying smart cards next week." Or they're buying an advanced intrusion detection system. Hello?

Obviously, the problem is mine. For some naïve reason, I think I can stand up and talk and everyone will simply get it. But people learn by doing. Here are three simple measures to take that can improve the situation.

Step 1: Collect data on successful compromises

You have to see for yourself which threats are most successful. We all face the same ones: malware, SQL injection, cross-site scripting, social engineering, phishing, and so on. The key is to understand which threats have succeeded against your company -- those are the threats most likely to hit again in the future.

Start collecting metrics on how your company was compromised. The answer is not a malware name. It is the name of the exploitation vector that allowed that malware or hacker to get in to your environment in the first place. For instance, we all face malware threats that squeak by all our defenses (at least for a certain period of time until signatures are updated). But how do those threats make it through? Was it employees being tricked into running Trojan horse programs? If so, was it from a phishing email? Was it from employees visiting a "risky" website or one they trust and visit all the time? Until you know the answers to these questions you'll be fighting a losing battle.

Step 2: Develop appropriate defenses

Once you understand how your company has been successfully exploited, implement the defenses designed to address those weak spots. Don't let yourself be misled by priests. For example, I commonly hear companies implementing intrusion detection systems or advanced firewalls to combat their biggest threats. In such cases, I ask the group involved in making the buying decision to agree upon their most likely threat scenarios -- say, remote control malware being installed because of unpatched software, which then allows APT to execute a pass-the-hash attack to take over the whole environment. This is a very common threat scenario. Get everyone to agree upon one or more common threat scenarios.

Then ask the product priest to tell you how, specifically, his solution would solve the problem. Don't let him quack about "decreasing overall risk" or other threats that do not pertain to the threat scenario under discussion. Ask specific questions. Tell him to show you the exact rules that would catch that particular threat. Do a walkthrough of the threat as it unfolds and how the solution would detect or prevent it. Get into the details.

If the product being proposed by the priest passes this test, then congratulations, you have a good solution. If not, have the fortitude to ignore the priest and adopt an appropriate solution.

Step 3: Change the culture

Much of what I'm saying is that you need to use data to change the culture. When someone brings you a favorite new solution, ask for data to support the product being pushed. You'll be amazed how many people will keep lobbying for solutions that don't address your actual threat scenarios. I often feel like Jack Nicholson in "A Few Good Men," bellowing, "You can't handle the truth!"

Are you a priest or a mathematician? Do you base your conclusions on strongly held, unexamined belief or hard data? Can you handle the truth?

This story, "With security, prayer is not the answer," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)