58 replies to this topic

[droppunx]

The way I look at it is if you are a network admin your job is to decrease intrution/attack to the most minimal degree possible. Now comes your question/poll: what is the greatest factor in decreasing it?

Well I don't think you can answer that with those three options, I think we'd all agree they are all important, and without them all your network security will fail. I do think however that as a network admin you should concentrate on improving what you know you can improve, and making the variables as low as possible. Well I think the out of those 3 varialbes the one to work on the most is technology, because this is a variable that, as tibbar very rightly stated:

the ids + firewall will stop 95% of lan bypassing backdoors.

so my point is that people are always a weak point, but with careful use of technology we can limit the damage people can cause

improve technology, it's the greatest defense and the most reliable of the three varialbes.

my $.02 as a two-bit student starting comp eng'ing

[ladykidtwist]

a combination of all these three is ideal... people and process is 2nd best and human factor is is worth noting than processes and appliances...

[beardednose]

The way I look at it is if you are a network admin your job is to decrease intrution/attack to the most minimal degree possible.

I think most users and mgmt would see your job more as giving folks access to stuff and keeping the hw/sw running, but I do agree decrease attacks is critical as it keeps things going. Users and mgmt don't seem to connect the "keep it up" with the need for security.

  a combination of all these three is ideal... people and process is 2nd best and human factor is is worth noting than processes and appliances...

ladykidtwist, which is most important in your opinion? I didn't get that out of your reply...

[myth]

i chose policies, well the third option...

People do follow VERY closely, but its something that cannot be controlled, user education maybe, but people in my opinion are a dead option... The more i think of it, its a toss up between them.

you cant control people, but you can control what they do

but i can see the other side of the coin, policies and hardware are only defence, people tactics are offence... Using IDS and Policies will only be one step behind the threat, always, whereas controlling the people will allow you to avoid the problem in the first place... Prevention is better than cure

[SiLV3R]

Well, i think if your system got hacked it´s 80 % the fault of the admin of the system.
Because if you always update your system,firewall, anti-virus,etc., don´t click on bad links and choose safe passwords it´s very sure, that you won´t get hacked.

[whiskah]

let me change my stand to PROCESS(policies,procedures)

The goal of security policies is to define the procedures, guidelines and practices for configuring and managing security in your environment. By enforcing policy, u can minimize the risks and threats 2 your organization..

Information security policies underpin the security and well being of information resources.. they are the foundation, the bottom line, of information security within an organization.

So without well defined policies and procedures.. u are greatly putting your organization, your network and your users at risk..

that is why we have iso17799/bs7799

[ladykidtwist]

[

ladykidtwist, which is most important in your opinion? I didn't get that out of your reply...

<{POST_SNAPBACK}>

process (ie: policies and procedures) i agree with whiskah... it is for the admins safety also if a well-defined and implemented policy is concocted in his realm of work... no blame to the admin... if the standard procedure was implemented, whatever happens. proper policy will also act as foundation to planning, implementation, monitoring and evaluation of the infastructure.

[mekros]

people, i think...

c'mon. dont exclude yourself (as admins) from that category. the two other components are just there for us to utilize. one has to get to the source of these insecurities. i mean, whats the reason why there are holes in this application anyway and leaves our/your networks free to be exploited to the hands of other people who have nothing better to do. i hope everyone can see what im getting at 'cause my english is quite limited hehehe

[s3ntinel]

improve technology, it's the greatest defense and the most reliable of the three varialbes.

I have to disagree here, how many exploits use Web/Email vectors nowadays? A fair few, and most firewalls won't stop it, AV/Web security products will if it has a signature and IDS will detect it again if it has a signature.

Technology has it's place, as does process, but if you can dissuade a person from browsing to a site or opening an attachment in an email, then you stop more attacks.

let me change my stand to PROCESS(policies,procedures)

The goal of  security policies is to define the procedures, guidelines and practices for configuring and managing security in your environment. By enforcing policy, u can minimize the risks and threats 2 your organization..

Information security policies underpin the security and well being of information resources.. they are the foundation, the bottom line, of information security within an organization.

So without  well defined policies and procedures.. u are greatly putting your organization, your network and your users at risk..

that is why we have iso17799/bs7799

<{POST_SNAPBACK}>

It think the most important thing here is IF you can enforce policy.

If so, then I agree with your sentiment. However, security policy in reality presents the rules to follow. Human nature dictates that people will circumvent the rules based on a understanding (Or lack of it) of what is right and what is wrong. The trick is to educate the people into comprehending the ramifications of their actions, otherwise the policy looks good for audit but doesn't mean anything unless you catch someone in contravention of it. (Proactive is always better than reactive). Admittedly, you will always get people that will bypass policy,legislation etc, but you can reduce it substantially.

BTW, which do you feel is better; a company that gains *7799 to comply with an audit point/peer business pressure or a company that undertakes to understand the threats it faces and responsibly mitigates those threats?

In my experience, *7799/SOX/HPIAA are seen as mechanisms to be secure instead of a minimum standard that should be continually improved upon (How many companies are asking for people with compliance experience as opposed to experience of securing environments? The two are mutually exlusive)

[myth]

well BN ?

what was yuor side ?

[beardednose]

This is going to be a long reply, so hold onto yur fedoras. I'll have to do this in pieces.

My vote: People are the most important aspect of security, and usually the most neglected. Think about it this way:

One of the reasons we invented technology is because people are so naive and forgetful (read: stupid and lazy ).

The technologist that I was debating said that he felt technology plays a major role in security. Every reason he gave ended up depending on people.

I gave him 3 nosey reasons why people are more important than technology:

1) The software and hardware that we often depend on is often misconfigured (or not configured!) or crashes. In this case, technology can't help you.

2) People can turn off the technology or otherwise render it neutral. Example: sharing your password, turning off antivirus or the firewall, etc.

3) Too often, there is NO technology to protect you. When you get that social engineering phone call or the phishing email, there's no voice in the background or popup window warning you to be careful! de nada!

A few responses to your comments....

I think the most important thing here is IF you can enforce policy.

Exactly. People are required to enforce the policies (they write them too).

improve technology, it's the greatest defense and the most reliable of the three varialbes.

No way. Same as above. People create and implement technology. If the people are bad or uninformed, you end up with poor technology. Also, people can render good technology useless---Bruce Schneier constantly warns that you can take good crypto algorithims and implement them in a way that decreases security and results in poor crypto.

Technology is only as reliable as the people who created it (beat that drum, baby!), and even then, they can't cover all the bases, so attackers undermine it.

Security is all about the weakest link. The weakest link in the above is the human element. Social engineering doesn't require high tech skills and works very very well.

The reason social engineering works so well is because THERE IS NO TECHNOLOGY involved! That's why training people is so important. You might say that proves the tech point, but history has shown even when protected by technology, either point #1 or #2 happens, or in spite of technology, the attack succeeds.

Well, i think if your system got hacked it´s 80 % the fault of the admin of the system.
Because if you always update your system,firewall, anti-virus,etc., don´t click on bad links biggrin.gif and choose safe passwords it´s very sure, that you won´t get hacked.

But social engineering bypasses these. IT is not immune to this. Same song, third verse.

People do follow VERY closely, but its something that cannot be controlled, user education maybe, but people in my opinion are a dead option... The more i think of it, its a toss up between them.

you cant control people, but you can control what they do

Invite me to your planet sometime. I envy you! I haven't experienced that at all. While you can change policy and replace technology, the biggest change impact can be had by FIRING PEOPLE. When you fire or discipline someone for not following policy (or whatever), the word spreads and other people are impacted.

When I trash one technology for another or revise a policy, none of the other techs or policies are offended or run for the hills.

THE BIGGEST and CHEAPEST IMPACT ON A BUSINESS can be had by FIRING PEOPLE for doing stupid things. Yes, there's lawsuits, but want to improve compliance and raise moral? FIRE A MORON!

but i can see the other side of the coin, policies and hardware are only defence, people tactics are offence... Using IDS and Policies will only be one step behind the threat, always, whereas controlling the people will allow you to avoid the problem in the first place... Prevention is better than cure

Absolutely! YAHOO!
Well, technology can report intruders and deny them access, but I don't see that as a true offense.

for example just create a page which contains the words "DO NOT ENTER HERE"
and you'll be surprised how many pplz will go there

I clicked the words and nothing happened

The debate ended when I asked my new friend a simple question:

"How come, on the XP box on which you gave the presentation, you didn't have any agents running in the task bar except for PGP?"

"I don't need them," came his reply, as a huge, smile peeked out from my heavily bearded face.

"My point exactly," I said.

Game, set, and scratch........

[beardednose]

A better question might be, rank the above in order of priority. Since none of them can be neglected.

In which case I'd have process following people.

Yes, I agree that it's:

1) People (do you hear that Babs song in the background?)
2) Policy/Process
3) Technology

In the CISSP world, we're taught policy first. Bunk. People CAN be secure without policy. No, it usually doesn't happen. But they're most important. Give me no policy, but security-aware people, and I'll be better off than strong policy in the hands of idiots.

I put policy before technology because people (those folks in addition to my security-aware folks) need to know what to follow. Some people, when told, "Don't do that!" won't. Those that do anyway you can fire or discipline because you have the policy. That's why the policy comes next.

The type of technology also depends on the policy. If IM is allowed, you use that technology, etc.

Finally, both the policies and the technology need to be periodically reviewed by people (review the people too).

I sure hope you've enjoyed this thread and I haven't bored you too much. I'll rest my chops for a while...

[myth]

Give me no policy, but security-aware people, and I'll be better off than strong policy in the hands of idiots.

I think your whole post couldve been summed up there.

I voted policies, because I still think this is the only practical method of controlling the people. I dont care how many times I have to teach people about good practices, they never follow them and get angry when I go bonkas for not following them. Whereas, if I had a decent policy setup, and inforce, this imho is the only way for educating some other less tech savvy people at work.

Which kinda brings me to the other point, if they dont follow policy, fire'em

[as0l0]

beardednose, yep, we are in the same boat