A look at IT security health checks
Over the past few days, one thing got my attention which I think in many ways sums up the state of our industry. While on a shopping trip with my wife, she noticed a billboard from a certain health insurance organization with the slogan, “Our focus is health, not shareholders.”
Probably because I’m becoming an increasingly grump old man, I tend to be increasingly cynical about the state of the IT Security industry. Just ask yourself how many CEOs will give keynotes about Google driverless cars and talk about how these cars will be potentially hacked, and why we all need better security. Then they go on to imply that they will be in the forefront of doing just that. Never mind the fact that organizations are being hacked on a daily basis and they can’t fix that! And we just lap it up. Sometimes you wonder if many people in our industry are on some sort of medication called gullibility.
Gullibility is an interesting drug. Some writers on gullibility have focused on the relationship between the negative trait of gullibility and positive trait of trust. As one author put it so succinctly, “gullibility is a foolish application of trust despite warning signs that another is untrustworthy.”
So how’s your health?
Like the health sector we are now bombarded with organizations offering “free” IT security checks. I recently saw an insurance company offering you the chance to win a health assessment. The winner is assured of getting a detailed report about the state of how their “heart, lungs, muscles and metabolism perform during exercise”, which will be followed by free “practical medical and lifestyle action plan.”
Don’t get me wrong – I’m not saying all IT Security vendors are out there to get you, and that health checks are not good – free or otherwise – but it is important to pay attention to those that seem to offer happy pills. When you read claims that putting a Shared Account Password Management solution in place will mean that “Security threats arising due to password sharing are completely eliminated”, I would seriously wonder about the naivety of anyone who would take this at face value!
And do we really need some analyst to tell us we have problems, and should we happen to take some medicine that has been touted by some marketing guru, that all will be fine? I don’t think so, when we know full well that our organizations are a ticking time bomb waiting for a security breach. Sorry, I’m beginning to sound like one of these “free” health checks!
Are we vulnerable?
As Woody Allen once said, “I’m not afraid of death; I just don’t want to be there when it happens.” Sometimes I think the approach of the average board of directors is the same when it comes to investing in information security; they’re worried about being breached and just hope it doesn’t happen while they’re in the job. But naturally the question is whether investment is the only course of action.
Like my health, I can either cut down on bad cholesterol or I can spend money on medication that will supposedly do it for me, and allow me to continue my bad habits. But the sad reality is that medication is not going to keep me alive and healthy.
And the same applies in IT Security. Buying the latest technology is not going to save me if I am not carrying out basic health checks in my organization. Listen to those vendors who tell you that working alongside your team, they can help.
As an example when I talk with organizations that are concerned about APTs or Malware, their response seems to be to buy whatever is touted as the latest and greatest solution. It’s like an obese person drinking only diet beverages while still consuming too much food. Regardless of what technology they buy, the failure to carry out basic security checks means they are just as vulnerable. And like the obese person, they know what they need to do but it’s just too hard to do it.
How many IT departments control the passwords being used by administrators and yet fail to do the same for services, scheduled tasks, and other applications that use credentials? Organizations fret about their private keys being stolen and used in malware but then don’t enforce any security policy around the protection of keys. Organizations allow hundreds, and in some cases thousands, of employees to have privileged access to their PCs because it is easier than enforcing a policy that demands permission to install software. Yet how many organizations regularly check the registries of their workstations to see if anything has been added or modified?
The placebo effect
Today more often than not, security related projects usually start off with a failed audit – the equivalent of a sharp pain in the chest. This is usually as a result of bad habits that have developed over the years. You would think that the patient would rush to hospital to make sure everything is fine. Yes it is inconvenient, but surely you don’t want to take risks!
But the reality is different. What the patient (management) generally does is call in the consultants who frequently have no practical experience; consult industry reports which frequently are not much more than regurgitated marketing material from a variety of vendors. The result is frequently an RFP that consists of little more than a list of irrelevant questions. This is then sent to a group of vendors who promise to cure all diseases for the lowest possible cost. It’s little more than a placebo. Actually I’ve come to realize more and more that most technology seems to be little more than a placebo – in other words you will feel better for taking the stuff that you buy but it probably won’t do you much good. You might as well start browsing health websites when you have a heart attack, put together a questionnaire and send off to several hospitals and see what they offer as a solution.
No pain no gain
Too many organizations have learned through bitter experience that implementing a privileged identity management solution is too important a process to delegate to a rubber-stamp RFP or a battle of vendor checkboxes. If handled correctly your implementation can help you close critical security loopholes; help make staff members accountable for actions that impact IT service and data security; and lower the cost of regulatory compliance. Yet the wrong choices too often turn into expensive shelf-ware – or worse.
Privileged Identity Management software is not a commodity and should not be purchased based on RFP checkboxes and up-front fees alone. Vendor claims to the contrary, not all solutions perform equally well under vastly different deployment conditions.
You’d never choose a doctor based solely on cost, nor would you trust a physician who writes a prescription before taking the time to diagnose your condition, check your medical history, and perhaps run some tests. Maybe the time has come to treat your IT Security like your personal health. After all when you’re in the operating theater it is comforting to know that you’re neither the guinea pig for a first time surgeon, or the patient keeping them from their next round of golf!