Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
9/25/2013
09:44 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

The New KISS Rule: Keep Information Security Simple

IT environments are becoming more complex; the solution may be simpler security

"Complexity is the worst enemy of security." Bruce Schneier said that in relation to the challenge of securing increasingly complex IT environments, but the same can be said of information security solutions themselves. As security professionals, we love to be in control and to have every available knob and dial at our disposal. Yet the more complex a security system is, the less likely we are to take full advantage of available features, to apply policies consistently, and to avoid configuration mistakes.

Have you ever opted to delay or avoid deploying a security feature because it just required too much time to configure properly? HIPS is a technology that provides valuable protection against new strains of malware for workstations and servers. Some HIPS implementations require just the check of a box to toggle them on, while others require weeks or months of tuning and testing. The latter provide more fine-grained control and perhaps even better security ... if you use them. Potential doesn't stop attacks; deployed solutions do.

Complexity can also rear its ugly head when trying to consistently apply security policies across systems. Data loss prevention (DLP) is all the rage these days, but applying rules uniformly across workstations, servers, mobile devices, email systems, and network gateways can be a nightmare. Multiple systems, each with their own management consoles, policy definitions, and terminology conspire against consistent results. Integrated single vendor solutions, long the targets of security professionals' disdain, may be worth reconsidering if they can ensure consistency and require less of your team's attention.

Simplicity also helps to avoid configuration mistakes. Firewalls and IDS systems are classic examples where rule sets and configuration options quickly become so elaborate that errors are virtually inevitable. This argues for both simplifying the rules where possible -- fewer IDS rules that can be more carefully tuned and monitored may be more effective than a more comprehensive set -- and for seeking out network security solutions with simple, uncluttered interfaces that make it easy to keep track of everything you need to manage.

Easy management, push-button configuration, and product integration have not historically been the "holy trinity" of security. Demands for greater control and vendor diversity have pushed simplicity to the background. But with growing complexity contributing to mistakes, inconsistencies, and protection capabilities sitting on a shelf, it may be time to rethink the approach. Perhaps it's time to keep information security simple. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
9/27/2013 | 11:21:53 PM
re: The New KISS Rule: Keep Information Security Simple
Maxim, I can only disagree with your point on the complexity of DLP. Having been a reseller of GTB Technologies DLP for many years, I can contend to GTB's simplicity of installation & use, while delivering a technically superior product.

It's a fully integrated system running from ONE Console with support for ONE POLICY across ALL GTB DLP products and functions (data in motion, data in use, data at rest, data classification.

A comprehensive system which performs Real-Time Data Classification
on Data at Rest and in Motion while automatically enforcing data security
policies.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...