You can't secure what you don't acknowledge.SM

Monday, February 9, 2015

Back to basics in information security? Proven year after year but (apparently) unattainable for many.

I'm often wrong about many things in life...just ask my wife. However, I'm feeling a bit vindicated regarding my long-standing approach to information security: address the basics, minimize your risks.

You see, more and more research is backing up what I've been saying for over a decade. It what was uncovered in the new Cisco 2015 Annual Security Report. [i.e. "Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches."...among many other things.]

The new Online Trust Alliance report found the same things.

CyActive had similar findings as well in their new study. ["Some of the worst attacks of this year could have been avoided, saving companies, governments and consumers millions of dollars" ... "Unfortunately, reactive defense remains the common denominator today, despite the overwhelming evidence of reused and recycled components seen in the most notorious attacks."]

The brand-new Trustwave State of Risk Report backs up this reality, and does so every year. [i.e. "60% run external vulnerability scans on critical systems (third-party hosted) less frequently than every quarter. Meanwhile, 18% never perform penetration tests." I'll venture to guess that 80+ percent of organizations are not looking at all of their systems that count...]

The same goes for the Verizon Data Breach Investigations Report.

Ditto for the Chronology of Data Breaches...on a daily basis.

These results combined with what I see in my work and I'm even more convinced that if we focused on the basic principles of information security such as the ones I listed here six years ago, what I wrote for in 2004, many of the concepts we learn during CISSP training...not to mention the ones listed in these two publications:

What gives!? What's it going to take to fix our security problems?

No thanks, Ă˜bama, we don't need your approach to continued government growth that'll fix information security no more than your "healthcare" law has fixed healthcare.

I'm not convinced we need a federal data breach law, either (thanks anyway, American Bankers Association). I believe we have enough laws on the books for now...

What we're seeing in information security (i.e. people who ignore the basics and end up perplexed by why bad things keep happening) is not unlike what society does with social issues. Every generation has their own ideas on how to fix the world's ills (namely passing more laws and redistributing more wealth) but we're still not focusing the essentials that have proven to work across generations (i.e. free markets, lower taxes/regulation, coaching people to believe in themselves, etc.) and, thus, the problems continue.

As Jim Rohn once said: Success is easy, but so is neglect.

The title of this recent SC Magazine piece on the subject says we need a new approach. I respectfully disagree. We need discipline.

What we need to fix the security challenges we face are people willing to stop buying into the hype brought forth by vendors and analysts, especially those who stand to make money off of their shiny new products or services - not to mention the self-proclaimed security ninjas and cyber warriors who know everything about security, in their own minds. We then need these people to acknowledge that merely 20 percent of their security vulnerabilities are creating 80 percent of their problems. Finally, we need people who are willing to be leaders and step up do something about these weaknesses....

Otherwise, step aside and let someone else do what needs to be done.

I know it's not that difficult. I see plenty of organizations who are successful in security. The problem is that most are not.

As Ayn Rand, author of Atlas Shrugged said, You can avoid reality, but you cannot avoid the consequences of avoiding reality. The time to start recognizing history and learning from other people's woes is now. Use your power of choice...Don't be a dodger. Confront the issue, fix it, and get this behind you once and for all.