Don’t let company politics dictate your security priorities

A company recently hired me specifically to improve its password policy. At five characters long, zero complexity, and no forced expiration changes, these passwords would be considered nearly nonexistent to most hackers — and the client knew it.

I quickly learned that the client had several other significant security problems, including porous firewall rules, outdated antimalware software, horrible patching, and hundreds of domain admin accounts, not to mention the fact that every end-user had admin rights to his or her desktop. Unsurprisingly, the client’s entire environment was already rife with malicious hackers and their programs.

[ InfoWorld Security Adviser Roger Grimes also recommends compiling a top 10 list of security priorities | Take control of your security destiny with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

I told them that even though they had hired me to improve its password policy, the security overhaul should concentrate on other issues first. When they resisted this suggestion, intent on dealing with the password problem, I asked how they’d been so thoroughly compromised. In every story they shared, successful attacks were caused by an elevated end-user being tricked into running Trojan horse programs sent via emails.

I asked them what they were doing to stop that particular attack vector. They said they’d delayed implementing defenses because the task was difficult, time consuming, and resource intensive. They wanted to tackle the password issue first. The company’s decision-makers were so intent on changing their password policy that it could not see the forest for the trees. Unfortunately, it’s a common scenario.

If you want to reduce your company’s security risk as efficiently as possible, you have to start by taking stock of your network security holes. Document all the ways your company is successfully compromised and figure out the percentage each attack vector is responsible for. As the saying goes, past behavior is a reliable indicator of future behavior — and attacks.

Your threat modeling documentation will probably mention initial attack vectors, which include how the attacker/malware first gained access to your environment, and secondary attacks, or the means by which attackers/malware gained further access and privileges. For example, an initial attack may be through a malicious PDF file sent to a senior executive. The secondary attack may involve password guessing against NetBIOS shares, installing remote access Trojans, or dumping the hashes from password databases. The initial attack vectors are far more important, although minimizing the secondary attacks is part of the defense plan, too.

Next, look at all the attack vectors and figure out which security defense mitigations would be most likely to work against the highest-ranking initial attacks. This should be your defense plan to most efficiently reduce your company’s security risk.

The mitigations that should be applied first are not always the easiest ones, in technical or political terms. For instance, the No. 1 mitigation needed in many environments is removing elevated access from non-admin users, thus preventing them from accidentally installing Trojans. The companies that have not already done this usually tell me it’s too politically difficult to accomplish in their environment, so they would rather start with simple mitigations — the low-hanging fruit.

I usually ask if their senior management knows they are not addressing their biggest security risk and leaving the company at a higher risk of future compromise than reasonable. I mean, what’s the worst thing that could happen to you, your career, and your company? Worst-case scenario is a complete compromise of all privileged information, your company’s security practices in the news headlines, and possibly lawsuits from regulators, shareholders, and customers. This is not a fantasy. It happens to a few companies every year.

If you end up in court, the prosecuting attorney will ask if you did everything a “reasonable person” using “due care” would do in your position, or if you ignored the highest-risk warnings and concentrated on lower-hanging fruit. Every lawsuit in the land is settled on the basis of due care from a reasonable person in a similar position. Don’t be the person who has to make excuses.

In reality, you may not be able to implement the best mitigation first. Politics is politics. Operations must go on. But make sure your recommendations to management are hedged in the right direction, placing the mitigations most likely to reduce the greatest amount of risk at the top of the list. Management can choose to ignore them, but you’ll have acted like a reasonable person in your position.

Most important, don’t let one of your secondary concerns distract you from accomplishing the most important task you need to accomplish.

This story, “Don’t let company politics dictate your security priorities,” was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.