• United States



by David Geer

10 changes you can make to achieve security serenity now!

Dec 16, 20147 mins
IT JobsIT LeadershipPasswords

You don’t have to look into a crystal ball to find peace of mind when it comes to security. CSO Magazine presents 10 relatively low-labor changes you can make to achieve significant improvements in enterprise security.

#1. Help high-level decision-makers to understand.

“Help your top-level executives to be truly aware of the nature of the security situation and to take on their risk manager responsibility in a serious way,” says Fred B. Cohen, an American computer scientist best known as the inventor of computer virus defense techniques.

[5 non-traditional hiring tips for InfoSec ]

To do this, use an external advisory committee comprised of people who know security and know how to talk to executives. To help leaders to hear and understand advisory committees, send them to an executive off-site security training or hire an initial security assessment of your organization so they can see where they stand and work to bridge the communication gap.

#2. Don’t collect information when it is more harmful than beneficial.

“I know it’s convenient to store credit cards and use them again next time. But that’s also why some big box stores had to pay a price for losing them and why people had to change their credit cards for everybody they dealt with,” says Cohen.

The same goes for any PII, including email addresses. “I bought something online from a very large big box store because they didn’t have it in the physical store. I had to provide an email address. They just got millions and millions of these ripped off and they are collecting more,” says Cohen. When the harm outweighs the benefit, just stop.

#3. Check the inputs.

Check inputs into software programs and databases at the place where you actually use them, not at the browser, and most of the bad things that happen would not happen, says Cohen. “All the big database rip offs using SQL injections and other input overruns happen because you don’t check the inputs,” says Cohen.

Check the size, syntax, and context of the input data / characters that people typically enter into an input field. “If they’re putting in a Social Security number, it better be in the format of a Social Security number. And regardless of what checking you did in the browser, you need to check it at the place where it arrives, not where someone sent it from,” says Cohen. Do the check when it arrives from the untrusted source (such as a browser) to the technology that interprets and uses it. “This is trivial to do and trivial to check that someone did it,” he says.

#4. Contract, insure, test.

Whether you require a software vendor to check the inputs to the programs you purchase or that any vendor provide a product or service as agreed, if it’s something you must have, especially for security, put it in a binding contract.

Have liability insurance in the event that the vendor did not do it. Require that the vendor have insurance in case they don’t do what they say they will. Ensure that there are stipulations in the contract that the vendor must test that they did what they said they would.

“In the case of the software inputs, there’s testing called fuzzing that is very inexpensive,” says Cohen. Use an independent testing lab for the testing. Require the lab to certify the test. Make sure the testing company has insurance.

#5. Architecting security is cheaper than designing, implementing, or coding it

Many enterprises have flat networks. “They have firewalls, but inside the firewall they have a bunch of compute and that’s it,” says Cohen; “it’s a hard shell with a gooey center.” Hackers use phishing and other attacks to get beyond the firewall and into the gooey center.

“If you architect your network, partitioning it into zones and micro zones, you can differentiate how you protect servers from how you protect workstations,” says Cohen. You can have a network that will operate properly even though parts of it are failing due to attack. Then even an attack that is successful is only partially successful.

#6. Defend using deception

“Deception technologies change the leverage between the attacker and the defender so that it is easy for the defender and hard for the attacker,” says Cohen; “deception is relatively easy to do.”

Hackers search for vulnerabilities in your protocol space, address space, and services. With deception, where you don’t have a webserver running on an IP address, you have a deception that looks like a webserver to hackers.

They hit that and try to break into it. After the first 50 or so times that the same user tries that, a network device that is watching will make sure that user gets a deception every time from then on. There are other types of deception.

#7. Don’t use security that turns users against you

It’s about workload on the user, sometimes called security load. Security keeps increasing requirements for the user to interact with security measures. The user has to make increasingly complicated decisions. “The security load causes the users to make bad decisions,” says Cohen.

Popups are good examples. “It says, ‘you’re doing something that might be dangerous, do you want to proceed?’” The user doesn’t know what choice is more secure. They do know that if they say “no” they can’t proceed and so they can’t get their work done. Security that puts these kinds of decisions in the hands of the user does more harm than good.

#8. Offer an easy password selection guide

Use an easy password selection guide to help users create strong, yet easily remembered passwords. The guide could suggest that users start with the title of a favorite movie, book, or item from any popular category and add characters to form a new password. “That way it can be easy to remember what characters are capitalized and where the punctuation marks should go, such as with the password Ghost^Busters!2?,” says John Zurawski, vice president at Authentify.

#9. Require longer, stronger passwords

With the new-found ease of creating memorable passwords, users should be less averse to using longer, stronger passwords. Here’s why long and more complex passwords naturally help.

Hackers don’t attack passwords manually by guessing at character combinations but rather use brute force attack software to crack passwords. “A 16-character password with upper-case and lower-case alpha characters, numerals, and symbols could withstand 10- or 12- days of concentrated brute force attacks, possibly more,” says Zurawski. That may be long enough.

“Typically when hackers steal password files, they settle for cracking 60- to 90- percent of the passwords on multiple passes through the file before selling the results and moving on. If your password is among the 10- or 20- percent that are the most resource-intensive for the hacker to crack, the probability that you will remain safe is high,” says Zurawski. Extending password length is a simple policy change. 

#10. Employ full disk encryption on company laptops.

A fully encrypted laptop hard drive that requires a user password on boot up helps protect the enterprise against data theft and misuse when a laptop is lost or stolen. “You can achieve this kind of roll out in months,” says Zurawski.