Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
9/25/2013
09:44 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

The New KISS Rule: Keep Information Security Simple

IT environments are becoming more complex; the solution may be simpler security

"Complexity is the worst enemy of security." Bruce Schneier said that in relation to the challenge of securing increasingly complex IT environments, but the same can be said of information security solutions themselves. As security professionals, we love to be in control and to have every available knob and dial at our disposal. Yet the more complex a security system is, the less likely we are to take full advantage of available features, to apply policies consistently, and to avoid configuration mistakes.

Have you ever opted to delay or avoid deploying a security feature because it just required too much time to configure properly? HIPS is a technology that provides valuable protection against new strains of malware for workstations and servers. Some HIPS implementations require just the check of a box to toggle them on, while others require weeks or months of tuning and testing. The latter provide more fine-grained control and perhaps even better security ... if you use them. Potential doesn't stop attacks; deployed solutions do.

Complexity can also rear its ugly head when trying to consistently apply security policies across systems. Data loss prevention (DLP) is all the rage these days, but applying rules uniformly across workstations, servers, mobile devices, email systems, and network gateways can be a nightmare. Multiple systems, each with their own management consoles, policy definitions, and terminology conspire against consistent results. Integrated single vendor solutions, long the targets of security professionals' disdain, may be worth reconsidering if they can ensure consistency and require less of your team's attention.

Simplicity also helps to avoid configuration mistakes. Firewalls and IDS systems are classic examples where rule sets and configuration options quickly become so elaborate that errors are virtually inevitable. This argues for both simplifying the rules where possible -- fewer IDS rules that can be more carefully tuned and monitored may be more effective than a more comprehensive set -- and for seeking out network security solutions with simple, uncluttered interfaces that make it easy to keep track of everything you need to manage.

Easy management, push-button configuration, and product integration have not historically been the "holy trinity" of security. Demands for greater control and vendor diversity have pushed simplicity to the background. But with growing complexity contributing to mistakes, inconsistencies, and protection capabilities sitting on a shelf, it may be time to rethink the approach. Perhaps it's time to keep information security simple. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
9/27/2013 | 11:21:53 PM
re: The New KISS Rule: Keep Information Security Simple
Maxim, I can only disagree with your point on the complexity of DLP. Having been a reseller of GTB Technologies DLP for many years, I can contend to GTB's simplicity of installation & use, while delivering a technically superior product.

It's a fully integrated system running from ONE Console with support for ONE POLICY across ALL GTB DLP products and functions (data in motion, data in use, data at rest, data classification.

A comprehensive system which performs Real-Time Data Classification
on Data at Rest and in Motion while automatically enforcing data security
policies.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio