Security Check List: An Ounce of Prevention is Better than a Pound of Cure

By Wolfgang Kandek

It is common belief that buying more robust and expensive security products will offer the best protection from computer-based attacks; that ultimately the expenditure pays off by preventing data theft. According to Gartner, more than $50 billion is spent annually on security infrastructure software, hardware and services. The analyst firm expects this number to grow and reach $86 billion by 2016.

With security investments skyrocketing, the number of successful attacks should be decreasing – but they aren’t. That’s the reality. There is no one thing, or even combination of things, that can guarantee you won’t get hacked. However, there are some basic precautions companies can take that can put up enough defenses to make it not worth a hacker’s time and effort to try to break in.

The recent Verizon Business 2013 Data Breach Investigations Report revealed that 78% of initial intrusions were rated as low difficulty and likely could have been avoided if IT administrators had used some intermediate and even simple controls. Using outdated software versions, non-hardened configurations and weak passwords are just a few of the many common mistakes businesses make. These basic precautions are being overlooked, or worse, ignored.

Implement a Security Hygiene Checklist

One of the most simple and effective way for companies to improve their defenses is to create and closely adhere to a checklist for basic security hygiene. The Centre for the Protection of National Infrastructure in the UK and the Center for Strategic & International Studies (CSIS) in the US released a list of the top 20 critical security controls for defending against the most common types of attacks. Topping the list is creating an inventory of authorized and unauthorized devices and software, securing configurations for hardware and software, and continuous vulnerability assessment and remediation.

A laundry list of organizations are already using this checklist and seeing results, including the US Department of State, NASA, Goldman Sachs and OfficeMax. The State Department followed the guidelines for 40,000 computers in 280 sites around the world and within the first nine months, it reduced its risk by 90%. In Australia, the defense agency’s Department of Industry, Innovation, Science, Research and Tertiary Education reported that it had eliminated 85% of all incidents and blocked malware it would have missed otherwise, without purchasing additional software or increasing end user restrictions.

My own security precaution checklist includes:

  • Promptly apply security patches for applications and operating systems to keep all software up to date
  • Harden software configurations
  • Curtail admin privileges for users
  • Use 2-factor authentication for remote access services
  • Change default admin passwords
  • Prohibit web surfing with admin accounts

Making it Happen

The hardest part of changing security policies is getting IT administrators on board to drive these initiatives. Because they are already managing heavy workloads, it is important to present the efforts as ways of strengthening existing security measures rather than adding responsibilities. Incentivizing implementation is another effective strategy. Or, you can always remind them that cleaning up after an attack is harder than preventing one, but in case you need more ammunition for motivating IT:

  • Friendly competition: One engineer at NASA boosted participation by awarding badges, points and other merits as if it were a game, giving employees incentive to compete for the highest score.
  • Company-wide report card: The Department of State assigns letter grades based on threat risk for each location, including various aspects of security and compliance. For instance, a lower grade would be given for software that is missing critical patches and infrequent vulnerability scanning. The report cards are published internally for all locations to see and again boost participation by competition and cooperation.
  • Show them the money: The biggest incentive of all would be offering bonuses or time off for quantifiable improvements in security and reduced risk.

While spending money on the latest security product to build bigger and stronger walls may impress the board of directors, it won’t necessarily deter attacks. Ultimately, the goal is to implement fairly basic but often forgotten measures to eliminate opportunistic attacks and discourage hackers who don’t want to waste the time and energy trying to get in. Some renewed attention to the basics can mean the difference between suffering from an attack and repelling one.

As the CTO for Qualys, Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Kandek has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the internet. Prior to joining Qualys, Kandek was Director of Network Operations at the online music streaming company and at iSyndicate, an internet media syndication company. Earlier in his career, Kandek held a variety of technical positions at EDS, MCI and IBM. Kandek earned both master’s and bachelor’s degrees in computer science from the Technical University of Darmstadt, Germany.


What’s Hot on Infosecurity Magazine?