Security 101: Show Your List!
Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!”
Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t store them in plaintext”, or “don’t store them with a crypto algorithm you designed”. Ten years ago, it would have included salting, but with the speed of GPU crackers, maybe it doesn’t anymore. A good library would probably still include it. Maybe LinkedIn was spending more on preventing XSS or SQL injection, and that pushed password storage off their list. Maybe that’s right, maybe it’s wrong. To tell you the truth, I don’t want to argue about it.
What I want to argue about is the backwards looking nature of these statements. I want to argue because I did some searching, and not one of those folks I searched for has committed to a list of security 101, or what are the “simple controls” every business should have.
This is important because otherwise, hindsight is 20/20. It’s easy to say in hindsight that an organization should have done A or B or C. It’s harder to offer up a complete list in advance, and harder yet to justify the budget required to deploy and operate it.
So I’m going to make three requests for 2015:
- If you’re an expert (or even play one on the internet), and if you want to say “X is Security 101,” please publish your full list of what’s “101.”
- If you’re a reporter and someone tells you “X is security 101” please ask them for their list.
- Finally, if you’re someone who wants to see security improve, and you hear claims about “101”, please ask for the list.
Oh, and since it’s sauce for the gander, here’s my list for individuals:
- Stay up to date–get most of your machines on the latest revisions of software and get patches for security issues installed, especially in your browser and AV software.
- Use a firewall that blocks most inbound traffic.
- Ensure you have a working backup of your data.
(There are complex arguments about AV software, and a lack of agreements about how to effectively test it. Do you need it? Will it block the wildlist? There’s nuance, but that nuance doesn’t play into a 101 list. I won’t be telling people not to use AV software.)
*By “lately,” I meant in 2012, when I wrote this, right after the Linkedin breach. But I recently discovered that I hadn’t posted.
[Update: I’m happy to see Ira Winkler and Araceli Treu Gomes took up the idea in “The Irari rules for declaring a cyberattack ‘sophisticated’.” Good for them!]
I agree somewhat that people are quick to blame the victim for not having X. It’s a bit like people used to blamed banks for not having enough protection against armed thieves, now it’s a PITA to do physical banking so it’s all online and we face the same problems again.
I don’t know of a “101” per-sé, but I do know that SANS make a very good attempt at it with their 20 critical controls:
https://www.sans.org/critical-security-controls/
Thanks Ken! I think that the SANS list is a good start. However, it’s really not 20 controls, but over a hundred, as each of the 20 is broken out into a dozen or more sub-controls.
I’m going to ask this one in a more confrontational manner than it perhaps deserves: would you say that anyone not implementing each of the 20 controls and each sub-control is failing “security 101”?
I’ve heard that term countless times since I’ve become involved with the InfoSec community, and I’m glad someone shares the same sentiments as me. I really think that people love hearing themselves sound “smarter” than others when it comes to security. It’s easy to say so-so should have done x when you’re on the other side of the situation.
Of course, there are definitely situations where yes, situation x was Security 101 (like not storing passwords in plaintext), but I find that most of time, the situations is a lot more complex than people try and make it out to be. If everything was as common knowledge as folks make it out to be, we wouldn’t see half of the breaches we do.