It has made me realize that most of systems security is an illusion. Here are my favorite alternate realities:
1. Everything is safe behind the firewall.
Ever heard of UBFWI—as in User’s Been Fooling With It? While IPD/IPS and firewall networked-technology has improved so vastly, there’s nothing like a user with an infected laptop to bring in a lulu.
2. Obscure operating systems never get hit. Hackers only go for the gold with Windows.
Here, let me laugh out loud and roll on the floor. Mine was an obscure server version on an obscure branch of an obscure BSD limb. Listen to the sound of lunch getting eaten: mine. Chomp, chomp, burp.
3. Use bozo port numbers so that nmap bots go away.
Those words were uttered by people who don’t read syslogs.
4. DMZs halt breaches.
Maybe—that is if there’s no smoking crater where your DMZ used to be.
5. Security certificates are all you need.
Stick that in your SHA-1 hash pipe and smoke it. Limp linguini is still limp linguini. Face it. I’ll bet there’s some of that linguini in that fortress of yours.
6. One safe copy of the keys is all you need.
That is, until the machine is stolen, or won’t boot, or has no backup, or was hashed with a key no one can find.
7. Test? What could go wrong?
I’m not going to go there.
8. We don’t need no stinking docs and backup copies of non-existent docs.
Docs take time, organizational skills, and staying off Facebook, Reddit and Twitter. Then you have to make copies and treat them like the most valuable piece of your DR plans.
9. Mobile Device Management (MDM) will keep BYOD problems away.
It’s true that if you’re diligent, good at configurations, read the logs, do the setup work correctly, then monitor it tenaciously, your organization can reap great benefits from MDM and Mobile Application Management (MAM). None of them I’ve reviewed were perfect, and some went a long way towards thinking things through—the benefit of the scar tissue that experience as a reminder. Unattended, they’re a mess, and they cost ongoing deployment personnel costs and monitoring. It’s not a panacea, but it can help.
10. Nobody has time for training.
And those will be my parting words for this week.