Today, I spent a rather grueling couple of hours taking an assessment of my network security skills. The assessment, for reasons known only to the assessors, focused more on Linux configuration, firewall and router commands than on security theory and principles. If you needed to hire a security administrator for your company which person would you choose: The guy who has memorized all of the commands for your brand of firewall/router; or, the person who understands security on a conceptual level? I’d choose the latter every time.
This goofy focus on configuration skills to the almost complete exclusion of general security knowledge got my brain gears meshing in overdrive; I decided to look deeper and see if I could find other examples of erroneous ideas of what constitutes good security. It wasn’t easy, except for picking number one. Here are my Top Five Security Faux Pas beginning with number five:
- 5. Relying Solely on Software Security Updates–What, you’ve never heard of a zero-day exploit? C’mon, we professionals know that the bad guys are usually first to discover the security flaws and they’re the first to exploit them.
- 4. Altering the Firewall–Oh! There’s a threat? Let’s add a rule to the firewall. You have a Cisco Certified CCIE-Security on staff? Good for you! If not, this isn’t a good option.
- 3. Failure to Monitor the Network–If you don’t analyze the firewall, IDS and server logs, you’re likely missing things that shouldn’t be. Buried among those thousands of failed attempts a finding an open port are those few that manage to attempt a connection and fail. Do you see them?
- 2. Failure to Consider Internal Threats–Your employees are all angels, right? They always follow the security guidelines, policies and procedures you set for them. Outright malice aside, what if that thumb drive they plugged in this morning picked up a trojan from their home computer last night? Oh, oh! You’re pwned.
- 1. Mistaking Technical Expertise for Security Savvy–So, the new “Sec Admin” can configure any router or firewall and knows all the commands to “protect” your network. So, what? Can he teach the receptionist how to detect and thwart a telephone phishing attempt? Does he even know how someone would go about that? If not, you’re doomed…
Suggestion for all you folks who love to do “assessments” of candidates’ “network security” abilities: Assess their security mindset, not their ability to memorize arcane firewall configuration commands. It does no good to block malicious packets at the firewall when Suzy Secretary is injecting them into the local network or becoming easy prey to the perpetrator of a telephone phishing attack.