Many security policies are a waste of time

2010-04-14 07:57:07 by chort

Ready for a shocker? A lot of the things your IT/Security department makes you do are stupid. According to Microsoft researcher Cormac Herley quoted in The Boston Globe, many "common sense" security practices are economically unwise. In plain English: You lose more money following a lot of security recommendations than you would by just letting the bad thing happen and dealing with the aftermath.

To continue, flip over the keyboard and read the sticky note...

The common practice singled out in the Globe article is password changes, i.e. policies that require changing passwords every X number of days and not being able to reuse Y previous passwords. It sounds like a great idea, but is it really?

Let's think about it--a bad actor exploits a machine via a phishing attack or drive-by download. Now they own the desktop, drop a rootkit, install a keystroke logger, ferret out saved passwords, etc. Within minutes (or seconds) the malware has phoned-home to drop off it's bundle of goodies and continues collecting passwords in real-time as they're typed. How soon do you think the Bad People of Indeterminate Gender™ will wait until they login? Will it be less than 90 days? 45 days? 30 days? Those are the common password validity periods, and playing probabilities we can figure a significant amount of exploits will happen within less than half that window (i.e. 15+ days left on the password).

There are lots of examples of these kind of brain-dead policies. One of my favorites is trying to limit outbound connections to partners by hostname rather than IP block. Why? Netblocks create "too big of a hole". Really, outbound connections to your partners are a risk to your company? So you either do the DNS lookup once and put the result in your firewall forever, meaning if the DNS record ever changes your stuff stops working, or you have your firewall do a DNS lookup for every packet it receives to see if it matches a hostname that should have access.

This ignores the fact that DNS is inherently insecure and could be spoofed, which would allow connections to anywhere. That's a whole lot less secure than only allowing connections to your partners' IP blocks. Just think of all the time wasted trying to manually maintain and update the list of hostname to IP mappings, or the performance burden of a DNS lookup for every packet, just so there isn't a "big hole". I've run into this several times, and no one can ever explain to me what the rationale is, other than "those are the rules" and "because of security".

Where do these stupid and counter-productive rules come from? They come from people who benefit by complex rules, because they can sell more software, renew more licenses, get more consulting gigs, bill more hours for auditing, or just plain justify using their ass as a seat warmer.

I remember when the Enron scandal blew-up and resulted in SOX. From my perspective, it looked like all the auditing firms who had egg on their face for collaborating with Enron managed to get their lobbyists to write language into SOX tailored to require more auditing. The more rules you make up, the more time it takes to check to make sure companies are complying with them, and the more products need to be created to "solve" the "problems" the rules are addressing.

Most office-workers know this first-hand, because they deal with it every day. They have to put up with some anti-social jerk from IT or Security telling them what they can and can't do, forcing them to change their password, go through proxies they don't need, implement counter-productive firewall policies, and just generally waste everyone's time, all to justify keeping a dedicated security resource on the payroll.

It's high time people started asking what it is they're actually trying to prevent, and what the most cost-effective way is to mitigate it, taking into account the value of people's time. I don't know about at your office, but at mine people are paid to be there, so every minute someone is doing some pointless process is a minute they aren't generating revenue.

Security practitioners should really know better. Stop following along with the "everybody knows you should ____" BS and start asking what makes sense. You can't follow a check-list to better security. Figure out how your business runs and what the biggest risks to it are, then figure out what will make the biggest mitigation impact for the least cost (in money and time)..

PS you won't go to hell for writing down your password. Just sayin...

Add a comment:

  name

  email

  url

max length 1000 chars