Variability is a malicious hacker’s best friend

An old anecdote sprang to mind recently as I was thinking about why malicious hackers are successful at what they do: Years ago, the city made me tear down a covered boat patio on my property. The previous owner apparently didn’t get a permit to build it, but I didn’t own a boat, nor did I need the structure or the hassle of going to the city council. I still remember how much fun I had bringing down that arrangement with a sledgehammer and my bare hands. They should sell the experience at an amusement park for adults!

Think of your IT system as a house constructed by skilled workers over several months through coordinated, well-planned efforts. Despite their best attempts at making the building sturdy and strong, a single unskilled worker with a sledgehammer can bring it all down by finding a single weakness. Similarly, it takes but one vulnerability for a malicious hacker to bypass the seemingly most secure of code.

[ The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this Web Browser Security Deep Dive PDF guide. ]

Often, the weaknesses in a building is spawned by variances from consistent best practices. In construction, that means working with highly trained employees and quality materials, as well as building structures using muscle memory, putting nails where they need to go, raising walls when it’s time, and putting on a solid roof when the foundation and walls are firmly set.

The same goes for computer security. The best security managers learn that quality and consistency are the best ways to reduce risk. Variability is the hacker’s best friend. If the defender is not consistent, hackers are sure to get in. They can probe the enterprise’s presenting hosts and find unpatched machines, weak configurations, and missed defenses.

Brad Marr, a Six Sigma “black belt” IT leader, preaches this at almost all of his meetings. He typically presents charts showing a company’s level of variability from the established standard. Although he might want perfection, he tells his coworkers he expects less variability over time. That’s a pretty good strategy and goal in a world where perfection is probably impossible, as humans, by their very nature, are imperfect.

In order to minimize variability over time, you need to accomplish a few tasks:

1. Define the security problem to be solved.
2. Create and define solutions, including strategy, tactics, standards, policies, and procedures.
3. Create one or more metrics that can measure the success or failure of your tactics.
4. Take a baseline measurement of the current state.
5. Implement the new tactics and security defenses, most often using automated means.
6. Take period metric measurements at least once a month.
7. Compare the improving (one hopes) metrics to the original problem defined.
8. As variability declines, the security situation should improve.
9. Identify the biggest areas of variability and work to reduce.

As an example, the problem at your organization may be frequent malware attacks, resulting from a lack of up-to-date antimalware software. The metrics might be the number of uncaught malware programs that get past initial defense and the percentage of computers with up-to-date antimalware programs. The strategy would be to reduce the success of malware programs. The tactic might be actively scanning for unprotected machines on a daily basis and implementing other practices to reduce that number (maybe using Network Access Control or NAP).

From there, the policy would be that every machine must have an up-to-date antimalware program before being allowed to authenticate to the network. The standard would be to use NAC or some particular product. The procedure would be to make sure all clients had the NAC enforcement mechanism installed and how to do it. Take measurements before and after, then report on the improvements in metrics each month. Finally, rinse and repeat for other problems.

The idea is that you want to decrease your variability so much that the hacker can’t find low-hanging fruit. When they go to swing that hammer against the weak nail, the resulting thud hurts their hands and the sledgehammer turns out to be useless.

By the way, I love computer security products that allow IT managers to measure variability over time. I’ve covered some of these in the past, including Bit 9’s application control product Parity. Parity includes a report metric called Drift, which measures how much monitored computers “drift” away from the established baselines over time. It’s an awesome feature and I encourage readers to seriously consider any security product (there are many) that offer similar features.

This story, “Variability is a malicious hacker’s best friend,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.