Grown Up Security Christmas List

Published: 2014-12-24
Last Updated: 2014-12-24 15:27:30 UTC
by Rick Wanner (Version: 1)
4 comment(s)

My wife is a Christmas music junkie.  Starting right after Remembrance Day every moment in our house or car is filled with the sounds of Christmas music, either from her own iTunes collection (currently 623 songs and growing yearly), or streamed from the Internet or satellite radio.  Every year there seems to be one song that becomes that ear worm and sticks with me for the entire Christmas season.  A couple of years ago it was "Oh Holy Night", another it was "I Want a Hippopotamus for Christmas", this year I discovered a new one, at least to me. "My Grown Up Christmas List".  The song was written by Canadian David Foster and his then wife Linda Thompson-Jenner.  It was originally recorded by David Foster with vocals by Natalie Cole in 1990, but probably the most famous version was recorded by Amy Grant in 1992, although it has been covered many times since.  The jist of the song is that we should not be asking Santa Claus for more stuff for Christmas, but that we our Christmas list should ask to solve society and the world's problems. Definitely a good sentiment in these uncertain times.

Today I got thinking...if the ISC were to have a Grown Up Security Christmas list, what would be on it?

Please submit your ideas via the forum comments, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

4 comment(s)


The top of my "Grown Up Security Christmas Wishlist" would have to be a retailer that treats the POS terminals as more than a glorified calculator and actually protects it and my credit card data.
I'd like a ftp replacement that only allows file downloads from a restricted tree, with encryption, installed by default on typical operating systems (disabled until enabled of course), but running by default on a port other than tcp/22.

ftp of course is not encrypted. It also has an obsolete client server communication mechanism using two separate tcp sockets. Most people suggest replacing it with sftp, typically running over port 22. As a firewall guy I often find myself opening port 22 inbound through the firewall from specific sources to a sftp server.

All it takes is a misconfiguration on the server, or eventual replacement of the server reusing the same IP address, to have accidentally allowed ssh access inbound through the firewall.

It is, of course, possible to manually configure sftp to run on another port, and to implement that as a policy for a company. But the default (which is what is commonly implemented) is to have full shell access and limited file transfer access running on the same port.

Having these two services, with completely separate security implications, running by default on separate ports, would make implementing and auditing a firewall security policy easier.
Merry Christmas btw, hope you and all have a wonderful one!

My "Security" christmas list would be:

1. Full support from the business, that security is meant to block silly ideas and save the company from itself;
2. That there is no such thing as 100% blame on the security team, all blame lays with the data owner;
3. That there is a data owner within the "business";
4. That there is peace in the world;
5. That information security risk management was a persistent reality;
6. That information security awareness and training was part of the appraisal processes and changed every year to suit the business and tailored to its departments;
7. That everyone is loved.

Soppy, unrealistic? Maybe, maybe not.
These are the things I'd put on my list.

Merry Christmas.
On my Security Christmas Wishlist I would come up with a suitable Patchmanagement for the "Internet of Things", that in future special devices like fridges, glasses, cars, ..., get security-fixes in short term, too.

Diary Archives