Tuesday, April 9, 2013

Keeping Security Simple

   This week I did a national webcast with Capella University.  The topic was the Insider Threat.  But my take on this is a bit different than what's usually said on this subject.  I call it "The Accidental Insider".  You can see my slides here.

   I was talking about how I think that accidents are the major cause of breaches.  I've talked a bit about how important it is to keep things simple here.

   If you're an information security professional, hopefully you are familiar with the Verizon Data Breach Investigations Report (DBIR).  You can see their page for the latest report.

   One of the interesting things they point out in the report is summarized in this table:

79% victims targets of opportunity; 96% of attacks not difficult; 96% of victims subject to PCI were not compliant; 97% were avoidable through simple or intermediate controls

   So while the mainstream tech press has coverage of APT (Advance Persistent Threat), Nation-state attacks, and organized cyber-crime using sophisticated attack methods, we can see that the overwhelming majority of attacks are simple.

   To me, two of these numbers really stand out.

   First: 96% of attacks were not highly difficult.  This means that, while there are some very talented, sophisticated and dangerous attackers out there, the vast majority of attack methods are not complicated.  So spending a disproportionate amount of talent, time, strategic planning or money preparing for advanced attacks is possibly not a good use of your resources.
   Methods included:
  • password guessing, stealing or brute-forcing
  • exploiting insufficient authentication (including sites with no password required)
  • keyloggers, backdoors and other simple malware

   Next: 97% of breaches were avoidable through simple or intermediate controls.  This means that we don't have to have the latest and most expensive tools and controls.  Based on the types of attacks observed, simple controls including:
  • patching!
  • password policy, testing and enforcement
  • using passwords!
  • anti-virus (yes, I know this doesn't catch zero-day attacks, but it's very effective on those 5-year-old attacks floating around!)
  • education and awareness! (this is a controversial topic, but I'm a big believer)

   So let's make sure that our security strategic plans are based around doing the simple things right.  If we've got all the processes in place to take care of that, and there's still money and time left over, then go for the more complex.

   If you've seen attacks or had breaches, do your findings mirror the DBIR findings?  Are you thinking about the simple stuff?  What other simple controls and ideas do you have to add?


  1. I think that many organizations are divided on the next steps (risk treatment) following a risk assessment.

    (1) should they cover the quick wins - those that require minimal time and money yet achieve a good result that can be reported to senior management to show progress? or
    (2) should they address those items with the highest probability and impact and therefore the greatest risk?

    What I have often seen happen because of this indecisive nature of risk treatment is that many organizations will do just enough to show progress is being made and forget about the rest or, worse still, put off dealing with many of the larger risks because it looks far too difficult to address.

    Dealing with the simple stuff is good, but simple is relative to the skill sets and experience of those involved.

  2. You're absolutely right. I think that loss of focus because of the media attention on things like APT adds to this confusion. But I've just seen too many organizations getting stuck on big issues without covering the basics. Of course, none of this is an excuse to not have a strategy or not do the risk assessments.
    I think another factor that can add to the indecision is lack of good security leadership. There's just no replacement for that!