There have been multiple times in my career where I’ve encountered someone who was caught up in the 'sex appeal' of a security technology without looking at the practicality/relativity of what they were trying to achieve as a whole. One encounter I remember was an on-site discussion I had with a security staffer of a large financial institution. I was going over some security audit findings, and he remarked that he was disappointed that their password policy didn't fail the audit. I responded with a discussion about how their password policy was actually very good and well above industry best practice at the time, particularly in password length. His response was that it could always be made stronger by requiring more characters in passwords. That is true, but given the numerous other critical areas that failed the security audit and therefore allowed arbitrary attackers to compromise practically any desktop or server on their network...what was the real value of requiring longer passwords? He failed to see that there were easier ways for an attacker to get at the same data without dealing with passwords or their strength; thus a increase in password length for the sake of an increase in password length would not provide any additional security protection value.
Sure, it's important to 'raise the bar' for security to lofty heights. But there comes a point where additional effort to further raise the bar of a single control doesn't return much additional security benefit (i.e. poor securitiy ROI). And there will inevitably be a point when trying to increase/improve the benefit of a specific security control will be questionably pointless because an alternate avenue of attack will now have a comparably much lower bar. In other words, you are wasting your valuable security dollars by over-doing one security control if you have poor security benefit from another control protecting the same resource.
So every time you think about adding or increasing the level of security of a particular control, you should always take a moment, step back, and consider the level of security provided by controls encompassing alternate avenues of attack. If those other controls are under-performing, then you should consider raising the security level of the other controls instead. Otherwise you will find all of your great security effort is negated by a clever-but-predictable use of a $5 wrench.
Until next time,
- Jeff
Posts
0 comments:
Post a Comment