Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
9/25/2013
09:44 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The New KISS Rule: Keep Information Security Simple

IT environments are becoming more complex; the solution may be simpler security

"Complexity is the worst enemy of security." Bruce Schneier said that in relation to the challenge of securing increasingly complex IT environments, but the same can be said of information security solutions themselves. As security professionals, we love to be in control and to have every available knob and dial at our disposal. Yet the more complex a security system is, the less likely we are to take full advantage of available features, to apply policies consistently, and to avoid configuration mistakes.

Have you ever opted to delay or avoid deploying a security feature because it just required too much time to configure properly? HIPS is a technology that provides valuable protection against new strains of malware for workstations and servers. Some HIPS implementations require just the check of a box to toggle them on, while others require weeks or months of tuning and testing. The latter provide more fine-grained control and perhaps even better security ... if you use them. Potential doesn't stop attacks; deployed solutions do.

Complexity can also rear its ugly head when trying to consistently apply security policies across systems. Data loss prevention (DLP) is all the rage these days, but applying rules uniformly across workstations, servers, mobile devices, email systems, and network gateways can be a nightmare. Multiple systems, each with their own management consoles, policy definitions, and terminology conspire against consistent results. Integrated single vendor solutions, long the targets of security professionals' disdain, may be worth reconsidering if they can ensure consistency and require less of your team's attention.

Simplicity also helps to avoid configuration mistakes. Firewalls and IDS systems are classic examples where rule sets and configuration options quickly become so elaborate that errors are virtually inevitable. This argues for both simplifying the rules where possible -- fewer IDS rules that can be more carefully tuned and monitored may be more effective than a more comprehensive set -- and for seeking out network security solutions with simple, uncluttered interfaces that make it easy to keep track of everything you need to manage.

Easy management, push-button configuration, and product integration have not historically been the "holy trinity" of security. Demands for greater control and vendor diversity have pushed simplicity to the background. But with growing complexity contributing to mistakes, inconsistencies, and protection capabilities sitting on a shelf, it may be time to rethink the approach. Perhaps it's time to keep information security simple. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
9/27/2013 | 11:21:53 PM
re: The New KISS Rule: Keep Information Security Simple
Maxim, I can only disagree with your point on the complexity of DLP. Having been a reseller of GTB Technologies DLP for many years, I can contend to GTB's simplicity of installation & use, while delivering a technically superior product.

It's a fully integrated system running from ONE Console with support for ONE POLICY across ALL GTB DLP products and functions (data in motion, data in use, data at rest, data classification.

A comprehensive system which performs Real-Time Data Classification
on Data at Rest and in Motion while automatically enforcing data security
policies.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.