Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
9/25/2013
09:44 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

The New KISS Rule: Keep Information Security Simple

IT environments are becoming more complex; the solution may be simpler security

"Complexity is the worst enemy of security." Bruce Schneier said that in relation to the challenge of securing increasingly complex IT environments, but the same can be said of information security solutions themselves. As security professionals, we love to be in control and to have every available knob and dial at our disposal. Yet the more complex a security system is, the less likely we are to take full advantage of available features, to apply policies consistently, and to avoid configuration mistakes.

Have you ever opted to delay or avoid deploying a security feature because it just required too much time to configure properly? HIPS is a technology that provides valuable protection against new strains of malware for workstations and servers. Some HIPS implementations require just the check of a box to toggle them on, while others require weeks or months of tuning and testing. The latter provide more fine-grained control and perhaps even better security ... if you use them. Potential doesn't stop attacks; deployed solutions do.

Complexity can also rear its ugly head when trying to consistently apply security policies across systems. Data loss prevention (DLP) is all the rage these days, but applying rules uniformly across workstations, servers, mobile devices, email systems, and network gateways can be a nightmare. Multiple systems, each with their own management consoles, policy definitions, and terminology conspire against consistent results. Integrated single vendor solutions, long the targets of security professionals' disdain, may be worth reconsidering if they can ensure consistency and require less of your team's attention.

Simplicity also helps to avoid configuration mistakes. Firewalls and IDS systems are classic examples where rule sets and configuration options quickly become so elaborate that errors are virtually inevitable. This argues for both simplifying the rules where possible -- fewer IDS rules that can be more carefully tuned and monitored may be more effective than a more comprehensive set -- and for seeking out network security solutions with simple, uncluttered interfaces that make it easy to keep track of everything you need to manage.

Easy management, push-button configuration, and product integration have not historically been the "holy trinity" of security. Demands for greater control and vendor diversity have pushed simplicity to the background. But with growing complexity contributing to mistakes, inconsistencies, and protection capabilities sitting on a shelf, it may be time to rethink the approach. Perhaps it's time to keep information security simple. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
9/27/2013 | 11:21:53 PM
re: The New KISS Rule: Keep Information Security Simple
Maxim, I can only disagree with your point on the complexity of DLP. Having been a reseller of GTB Technologies DLP for many years, I can contend to GTB's simplicity of installation & use, while delivering a technically superior product.

It's a fully integrated system running from ONE Console with support for ONE POLICY across ALL GTB DLP products and functions (data in motion, data in use, data at rest, data classification.

A comprehensive system which performs Real-Time Data Classification
on Data at Rest and in Motion while automatically enforcing data security
policies.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.