My next class:

Cyber Security Awareness Month... Through Proverbs

Published: 2015-10-06. Last Updated: 2015-10-06 07:27:03 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

Johannes introduced yesterday the Cyber Security Awareness month. As security professionals, our job is to take care of our systems and networks but also our users!  Instead of giving repetitive technical tips ("do & don't"), why not try an alternative way to push messages to them via proverbs? Wikipedia define a proverb as "a simple and concrete saying, popularly known and repeated, that expresses a truth based on common sense or the practical experience of humanity". In this definition, the keywords are: simple, truth, common and experience. Let's review some proverbs which address security of end-users as well as administrators.

In the kingdom of the blind, the one-eyed man is king” – Visibility is a key aspect of information security. You have to be aware and understand what is happening in your environment. Due to the amount of information to process, tools exist (like a SIEM) but can be very expensive. Even if you don’t have enough budgets or resources to set-up a top-notch security environment, try to implement a minimum of controls. Concentrate yourself first on the most business critical aspects (use-cases).

Never put off to tomorrow what can be done today” – New vulnerabilities are discovered every day. Some may affect your assets. If it’s the case, apply a countermeasure as soon as possible. If available, install the patch provided by the manufacturer/developer. If it remains unpatched (or waiting for a new release), implement extra controls like access lists, monitoring. Don’t wait, do it now!

Clothes don’t make the man” – Take care of phishing and social engineering attacks. Do not disclose information before checking the reliability of the people asking for it. Do not trust anybody.

Never tell an enemy that your foot aches” – Protect your assets by not disclosing sensitive information in public forums or mailing lists. Some people post technical questions in public areas to request some support or tips. Such disclosed information could be very useful for an attacker. Your application must be hardened and never run with the factory settings. Do not answer to polls via phone calls.

Little brooks make great rivers” – A suite of small incidents may lead to a bigger security breach. All issues must be properly addressed. A small incident can be a first step in the process of compromizing a system. Information security can be compared to airlines: Crashes are often due to a suite of small incidents which occurred in a proper order.

Sow the wind and reap the whirlwind” – If you don’t properly implement security controls, be prepared to the worst. Be honest and don’t pretend to be “bullet-proof”. Nobody is!

Better late than never” – Some security controls might require lot of time to be implemented. After a security audit, you may discover that your infrastructure has several weak points. Take the time to review them and fix them.

An ounce of prevention is worth a pound of cure” – Do not follow the “action – reaction” principle. Perform a analyze of risks and eliminate (or at least, reduce) them. If will be easier (and cheaper) to implement a security control at the beginning of a project than once the application or assets used in production.

Practice makes perfect” or “Errare humanum est” – Should we add something? We all learn by making mistakes!

Two heads are better than one” – Do not be afraid to ask for help! First, share your issues internally and discuss with your colleagues. If more help is needed, there are plenty of ways to discuss security online via forums, mailing lists or social networks. People will be glad to help you. Don’t forget: they are no stupid questions! Follow security events and build your social network!

Don’t put the cart before the horse” – Your security controls must be implemented in the right order. Do not implement highly-technical solutions (expensive and difficult to maintain) before applying basic security principles! Example: why deploy a WAF (“WebApplication Firewall“) if your website is not yet safe? Review the code and ask your developers to fix their bugs.

When the cat’s away, the mice will play” – Well, people are the weakest link of the security chain. As said in the introduction, awareness trainings must be recurrent. Keep an eye on your administrators by implementing separation of duties and least access privileges.

In too much discourse, truth is lost” – Finally, one word about the communication. In case of incident, be prepared to communicate transparently to your management, customers or partners. Do not try to hide facts. Be honest and transparent.

I’m sure they are plenty of other examples…

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
3 comment(s)
My next class:

Comments

Reminds me of the chapter openings from Westerby's 'In Hostile Territory'...indeed a good read:
http://www.amazon.com/In-Hostile-Territory-Business-Combatant/dp/0788163108
"Security is a process, not a product." Bruce Schneier
A VERY nice job! The only one I would consider revising is this one:

"Example: why deploy a WAF (“WebApplication Firewall“) if your website is not yet safe? Review the code and ask your developers to fix their bugs."

Because a WAF gives you breathing room to fix (and train) the developers. It could take years to get the developers remediated and the changes in place. I mean, who put those mistakes in the code in the first place? The people you're asking to fix them.

Even a basic WAF will stop most attacks and also provides visibility into what people are trying to do to your site. Plus it can protect against new mistakes due to developer turnover. The one control that helps me sleep well is our WAF.

Diary Archives