Commentary on the Seven Deadly Sins of Network Security

Authors:
  • Eric Goldman

18 Dec 2008   ::   Security   ::   #networking #firewalls #patches #human factors #verizon

 

Summary

In Brenner’s article [1] on network security, he highlights what he considers to be the major mistakes or misjudgments made by IT administrators when evaluating, planning, and performing security activities. While the author focuses his “seven deadly sins” on network security, they are certainly applicable to enterprise security in general. The first sin is “not measuring risk”. The author describes this sin as not consciously evaluating security concerns as business problems. This results in a mindset where an organization believes that an investment in firewalls and virus scanners is sufficient means of addressing any and all possible security concerns. The second sin is the belief that regulatory compliance is equivalent to security management. For example, an organization is easily led to believe that if they meet all regulatory measures that they either are secure or are not responsible to take further action. The third sin is when the enterprises views security as a technology problem without regard to human factors. Even the most secure system can be defeated through human ignorance, incompetence, or malicious intent. The fourth sin is improper configuration and management of access controls for systems. Loose configurations result in users having elevated privileges from a business perspective and lead to holes for attackers. The fifth sin is “lax patching procedures”. The author cites a Verizon report [2] which shows that most attacks result from vulnerabilities that have had patches for a longer period of time, such as Sasser. The sixth sin is lax logging and monitoring; that while these tools may be running, they are not used or their reports are analyzed sufficiently. The last of the seven deadly sins is that modern networked systems have become too complex to effectively manage. The author’s complaint here is that organizational networks continue to grow and often the network engineers “bolt one device onto the next” in ways which lead to complex management and configuration.

Relationship to Enterprise Security

This article provides a useful, high-level view of security challenges faced in the enterprise. While written with network security in mind, most of the concepts can apply to many other domains of enterprise security. The first two sins deal directly with how the organization views security issues as business problems. First, security is not taken seriously in all situations; nor is the business impact well understood. As a result, risk is not properly assessed and is not sufficiently minimized. Purchasing and installing security software and hardware is not sufficient; technology does not understand business problems and cannot easily determine which assets require a particular level of security. The second sin is of critical importance to the modern enterprise. While the business must comply with regulatory measures, these measures were not designed to provide complete security nor were they developed as technical step by step guides. Enterprises are composed of both humans and information systems; as a result the third sin is of crucial importance. While technological measures can be put in place, users may try to circumvent them to increase convince or may accidently disable some security feature. Furthermore, policies must be developed in order to minimize human impact while at the same time employees must be educated on how to use information systems in a secure manner and on the overall importance of security to the organization.

The other sins on the list relate to proper management of security tools and procedures. The importance of timeliness is one of the key concepts in this article. Patches need to be tested and deployed within a fairly short period of time. It is unacceptable to put off patching or eliminating a security concern for an extended period of time. Once the security staff becomes aware of a problem, action must be taken to remedy the situation; failure to act will likely be considered negligence if a known security hole is used to perpetrate an attack. In addition, if the organization has tools to detect and locate problems, they should actively be monitoring these logs or reports and plan appropriate action. For example, a traffic log may show malicious traffic, but without human analysis and review logging is useless for the organization. Lastly, the author discusses the KISS (keep it simple stupid) principle. As discussed in class, enterprise systems are not trivial, which adds additional layers of complexity on top of already complex information systems. Therefore, the security staff should work hard to ensure that they are not making their own jobs harder. In general, information systems management needs to be compartmentalized into small, manageable pieces. A system which is left to grow more complex results in higher costs and in terms of security greatly increases the difficulty of protecting such a system.

Analysis/Discussion

This article is very useful for the CIO or IT security team. It brings awareness to many concepts which may not be obvious in most cases. Security is often viewed as a technology problem, when clearly it is business problem (just because a security protect exists for some system does not mean that system is worth the investment and other associated costs). It is not important to secure the “network”, but it is important to secure the enterprise. This subtle difference in philosophy makes all the difference. For example, regulatory compliance creates a minimum of security and represents the government’s beliefs on what is important in terms of security. The government’s concerns are not exactly a perfect overlap with every individual organization’s needs and goals; therefore, an enterprise must expand their security program to address regulatory requirements as well as the organization’s own needs and goals. While human factors and efficient procedures are often cited as reasons for poor security, the concept of regulatory compliance versus security is an idea which is not commonly discussed. However, with the complexity and cost of meeting compliance, it is not hard to imagine that organizations stop their security efforts after meeting compliance. For many in management positions, security and compliance is seen as an impediment to carrying out normal business operations. However, the smart enterprise realizes that security is crucial to continued success and will lead to better overall management and understanding of the information systems within the organization. Compliance is not about protecting the organization, it is concerned with protecting those external to the organization. With this in mind, the enterprise security team will understand that they, not the government, are ultimately responsible for developing the plan of action used for ensuring the security of their assets, information, and systems.

Bibliography

  1. Brenner, Bill. The Seven Deadly Sins of Network Security. CSO Online. [Online] December 10, 2008. [Cited: December 11, 2008.] http://csoonline.com/article/470095/The_Seven_Deadly_Sins_of_Network_Security?page=1.

  2. Baker, Wade H., Hylender, C. David and Valentine, J. Andrew. 2008 Data Breach Investigations Report. The Verizon Business Risk Team, Verizon Business. 2008.