One simple step to better network security

If you’re like most companies that hire security consultants, you’re reading this blog for advice you’ll never use. You’ll tell me that security is a priority, but your inaction will say otherwise. You’ll be like the guy who joins the gym in January and quits by March, or the woman who consults with her nutritionist in the morning, then has pizza for lunch. Or like the recent college grad I’ve been mentoring, who tells me she has done “everything” to get a better job. Everything?

I asked if she had updated her resume to be specific for each job to which she is applying. No. I asked if she had gone door to door through local businesses dropping off resumes. No. I asked if she had sent out any resumes at all. No. I asked if she had called her university asking for help with job placement. No. I asked if she had been reading the local newspaper ads and applying for those jobs. No. I asked if she had talked to the two local business leaders that I had referred her to who said they could get her better jobs. Again no.

[ InfoWorld’s Malware Deep Dive special report tells you how to identify and stop online attacks. Download it today! | Roger A. Grimes offers a guided tour of the latest threats in InfoWorld’s Shop Talk video, “Fighting today’s malware.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

When I asked what she had done to improve her job prospects, she said she had applied on Monster.com eight months ago. That resulted in malicious phishers targeting her with bogus “at home” jobs.

Obviously, my definition of her trying everything was not aligning with her definition. As far as I could tell, she wanted someone to hit her on the head with a job.

Catch security in a bottle I have many clients who seem to think security also strikes like lightning. They complain about how they are getting hacked and owned, but they aren’t even doing the simple stuff — the steps security experts have been advocating forever. They keep trying more and more advanced mechanisms to protect themselves, such as NIDS (network intrusion detection systems), HIDS (host-based intrusion detection systems), and multifactor authentication, only to find that they’re owned again and again.

For example, not a single customer I’ve audited in more than two decades has patched the applications that are the most likely to be attacked. I always start the security audit by asking the customer if they patch their software, both the operating system and applications, in a timely manner. Most say yes. Then I check the first workstation or server and find it’s unpatched. Most of time the operating system has been patched, but they haven’t patched Adobe Flash Player, Adobe Acrobat, or Java in months or even years. It’s no coincidence that the most commonly exploited applications are these same three chronically unpatched apps. When I tell the admin about the missing patches, he’ll typically say that application patches are someone else’s responsibility or seem uninterested.

Another question I usually ask customers is whether they expire passwords in a timely manner. They almost always say they do, and when I check the global system policy it says the same. But then I check individual accounts and find dozens to hundreds of exceptions. Usually the more powerful the account, the more likely it’s never been changed.

Another one of my favorite questions: What is the No. 1 way your company is exploited? Many will respond correctly, “Socially engineered Trojans, like fake antivirus programs.” I then ask if they include a screen image of their legitimate antivirus program in their end-user education materials. They always, always say no. But what is worse is that no company has ever followed through on my suggestion and showed their end-users what their antivirus program looks like.

Breaking the inaction plan Most security experts I know deliver dozens and dozens of security findings to each client they are hired to audit. It’s not unusual for an audit report to be more than 100 pages long. And yet after reading the report and signing off on the report’s findings, most clients do nothing. You can point out the most critical fixes and suggest which ones the company should implement first, then come back a year later and discover that not one fix has been implemented. This isn’t just my experience. It’s a common lament I’ve heard from all of my peers.

I can’t blame the client’s computer security team because it’s nearly every team I meet. Of course I see good teams and bad teams, but almost none of them make any progress. It must say something about companies in general and how hard it is to change the status quo. Today’s big priorities are overwhelmed by tomorrow’s bigger priorities. When you have a hundred things to fix ASAP, they get lost in the bustle of today’s critical emergencies and tomorrow’s new management directives.

More and more I think the secret to improving security is to concentrate on a single item to fix in a given period. I understand that you’ll always have dozens and dozens of fixes to make. But focus on finding the biggest security problems and resolve to repair one of them before even thinking about the second. You can’t effectively juggle multiple priorities, no matter how much management wants you to.

You want to be my hero? Fix one item. You’ll be ahead of most of your peers.

This story, “One simple step to better network security,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.