Friday, January 27, 2006

Complacency – Still a Security Threat

You are the security administrator of a large data center. You have disabled all unnecessary services, triple-checked the firewall rules, conducted penetration tests on all active servers, written security procedures, and trained all employees on basic security ideas. You are golden right? Wrong.

One threat still remains – Complacency.

Complacency can be defined as the act of being content to a fault with one’s actions. In the information security world, it can be one of the hardest attack vectors to identify. Bleeding Snort does not have signatures on file to detect complacency and it will not show up in an event log report.

Complacency comes one from what some would call the weakest link in the security chain – people.

In simple terms, it is the difference in “doing everything you can to secure a network” and “thinking you already have”. Administrators aren’t perfect and therefore mistakes will be happen - c'est la vie. We are only human after all. But experts have warned about security complacency for years. However we never hear about the countermeasures.

I can only think of one – vigilance.

Always assume you have missed something, always watch for changes that were unexpected, stay on top of the news and emerging security threats, etc. Being vigilant should not control your every thought but it should be a layer in your thought process.

Recently, Bill Thompson over at BBC News cracked the hardened surface of this subject again in his “Mac user ‘too smug’ over security” article. He was quite surprised by the overall response of the Apple community.

Too many times, people feel they are more secure because they run _______. This is the red flag of complacency. This isn’t to say that people are wrong when they say “this operating system has a better security model (by design)” or “this operating system is more secure out of the box”. We all need to mindful no matter what OS we have on our machine.

It has always been my belief that a computer is only as secure as the person managing the box. Of course, all operating systems can be hardened beyond the default install. However, hardening servers should only be done by professionals that understand the workings of the system. If you don’t know what you are doing, you can easily harden yourself into an unscheduled DR situation. Anyone that works in the IT world knows managers don’t like unscheduled DR situations. =)

Moral of the Blog – Security is a very complex and fluid issue. Everyday, the security of a given system ebbs and flows as events on the internet unfold. Security isn’t filling in a checkbox on a requirement form or applying a single patch.

Staying vigilant is the only true countermeasure to security complacency.

No comments:

Post a Comment