Is being a "good" security person really more involved than:
* making sure you have all your ports locked down
* limit connectivity between all instances to only the bare minimum
* any public access is via protocols such as ssh which have zero-to-none vulnerabilities
* any 3rd party software you dont know is secure should never be public
* routinely run employee training on how not to let themselves get hacked via social engineering
I'm sure I'm missing other stuff, but I feel like if you follow these "best practices", you have just made yourself a very hard target and hackers will probably skip over you unless they have some weird reason to target your org specifically. So for 95% of companies out there, this level of security should be sufficient.
I'm legitimately asking - is this sufficient? Or are hackers so creative that even following these basic rules will still not make you a hard target?
This stuff seems fairly easy to do but I agree you need training or an info-sec person making sure your dev teams are doing it all. You can't have any slip ups. Your devs / managers have to take it seriously.
In particular, "routinely run training" might reduce the probability of a breach due to social engineering, but it probably won't.
You also didn't really cover client machine security, which is how compromises often happen. Your awesome security isn't worth much if the admin's machine is compromised.
Your employees need to use computers to do their job. As part of that, they will need to browse the web, which they will do with one of the major browsers. This browser has unknown 0-day vulnerabilities. Whatever security measures you implement must not disrupt business.
They may also need to plug in USB drives. These can come with malware. Whatever security measures you implement must not disrupt business.
They may also need to open documents, possibly with macros. Whatever security measures you implement must not disrupt business.
Your "basic rules" will at best prevent the - still extremely common - social engineering based attacks, but they still won't reliably keep an attacker out of your network. The attacker will compromise a random person, find some company-wide writeable shared network drive (that you didn't even know about) where a team shares their executables, replace one of those, compromise more machines, escalate to domain admin credentials through one of the many ways that exist, then use your own fleet management system to push their backdoor to your entire fleet.
For good security, you need for example:
- an overview of what assets (computers etc.) you actually have
- a decent way to manage these assets
- monitoring so you can hopefully detect when (not if) a compromise happens
- many layers of defense in depth that slow down attackers and limit what they can do once they've compromised one part of your company
- technical barriers to prevent social engineering attacks (binary whitelisting, strong multi-factor authentication)
- protection against insider risks
- physical security
and that's just a few things that popped into my head, the actual list would probably not fit whatever post length limits HN has. And of course all of this needs to be implemented with the limited budget the company is willing to give you, without disrupting the business, etc.
Thanks for the great response! Very informative. I assumed I was way simplifying the problem. It seems like what works for my small remote only startup is not even close to what you need for a large in-person org running who-knows-what software.
I'm sorry, but this just doesn't work in the real-world.
As the "security guy", you're seen as the troll under the bridge. Someone to get past via any means necessary, including lying.
But lets say you get your way.
"making sure you have all your ports locked down"
You can't imagine how much work this actually is on a network with 1,000+ servers running at least 10,000 distinct pieces of software. Most of which don't document their firewall requirements.
Oh, did you know that Active Directory domain controllers -- the single most valuable attack targets -- require essentially all ports open to all computers on the network?
What is your firewall going to do when all modern software communication is over HTTPS and "looks the same"?
How are you going to firewall off just one modern server with 200 Gbps Ethernet? Do you have any idea how much you'd have to spend with CheckPoint or Juniper or Cisco or whomever to do that?
"limit connectivity between all instances to only the bare minimum"
That lasts right up to the point that the shouty guy in finance that talks directly to the CxOs wants PowerBI on his desktop to be able to pull in data directly from all the databases. Did I say desktop? I meant a laptop on unencrypted airport WiFi.
"any public access is via protocols such as ssh which have zero-to-none vulnerabilities"
You don't get to choose the software. Windows doesn't use SSH for anything, and can't be made to.
Also, if you know anything about ransomware attacks, you would know that protocol encryption does nothing to even slow them down. If anything, it makes detecting attacks harder!
"routinely run employee training on how not to let themselves get hacked via social engineering"
Meet Mr Bell's Curve, and its unavoidable left hand side. Some people are just incorrigibly stupid and will routinely fall for phishing attacks, no matter how much training they receive. At any large corporation -- the type worth ransoming -- these people are inevitable. You, Mr Security Person, don't work in HR and don't make hiring and firing decisions.
"I'm sure I'm missing other stuff"
You're missing the fundamentals of the problem, which is that as a security guy:
- You must come up with security solutions that work in the face of morons.
- You must be able to secure software written by morons with no interest in, or ability to write secure code.
- You must do this without impacting the business in any material way, because if you stand in the way of anyone more senior than you -- even once -- you'll never be listened to again.
"Or are hackers so creative that even following these basic rules will still not make you a hard target?"
Currently, for any large org above about 1K staff, security against targetted attacks is basically impossible. Certainly not financially viable. Your competition will not spend the money, make more profit, pay out the ransom, and come out ahead of you.
Thanks for the great response! Very informative. I assumed I was way simplifying the problem. It seems like what works for my small remote only startup is not even close to what you need for a large in-person org running who-knows-what software.
* making sure you have all your ports locked down
* limit connectivity between all instances to only the bare minimum
* any public access is via protocols such as ssh which have zero-to-none vulnerabilities
* any 3rd party software you dont know is secure should never be public
* routinely run employee training on how not to let themselves get hacked via social engineering
I'm sure I'm missing other stuff, but I feel like if you follow these "best practices", you have just made yourself a very hard target and hackers will probably skip over you unless they have some weird reason to target your org specifically. So for 95% of companies out there, this level of security should be sufficient.
I'm legitimately asking - is this sufficient? Or are hackers so creative that even following these basic rules will still not make you a hard target?
This stuff seems fairly easy to do but I agree you need training or an info-sec person making sure your dev teams are doing it all. You can't have any slip ups. Your devs / managers have to take it seriously.