There’s a lot of talk in the security space about what we aren’t doing. The release of hacks and zero-days is constant, calling out vulnerabilities that need to be addressed to hold off the end of the world. A news story is released almost every day about how some shadowy, nefarious force is out to get our data (bonus points for stock footage of guys in hoodies with scrolling code). On the other hand, there’s always some new, shiny box or piece of software that promises to solve all these problems. Especially if we buy two, and sign on to a support contract which includes help desk heroes to battle our villains.
Ť这里有许多关于我们不是做什么谈话的安全空间。 骇客攻击和零时差漏洞的释放是持续不断的,它指出了必须解决的漏洞才能阻止世界末日。 几乎每天都会发布一个新闻报导,说明如何利用某种阴暗,邪恶的力量来获取我们的数据(带滚动代码的帽衫家伙的素材库的加分点)。 另一方面,总会有一些新的,闪亮的盒子或软件可以解决所有这些问题。 特别是如果我们购买了两个,并签署了一份支持合同,其中包括服务台英雄与我们的小人作战。
What we are doing as a result may be as bad as any hack. Instead of guys in hoodies becoming our villains our security staff, budgets, or even our own employees become the evil we fight. These practices cause work to grind to a halt, budgets to run rampant, and timelines to crumble to dust. They cause our organizations (and/or our lives) to become either paralyzed with fear of being targets, or panicked in an effort to keep up with the endless tide of malware, APTs, ransomware, and other threats. By becoming aware of these problems we can work to correct them before they cause so much damage the real bad guys don’t even need to do any work.
结果,我们正在做的事情可能与任何骇客一样糟糕。 与其说连帽衫的家伙成为我们的恶棍,不如说是我们的安全人员,预算,甚至我们自己的员工都成了我们所为之恶。 这些做法使工作陷入停顿,预算泛滥,时间表破灭。 它们使我们的组织(和/或我们的生活)因害怕成为目标而陷入瘫痪,或为赶上无尽的恶意软件,APT,勒索软件和其他威胁而感到恐慌。 通过意识到这些问题,我们可以在它们造成严重损害之前进行纠正,而真正的坏蛋甚至不需要做任何工作。
合规崇拜 (The Cult of Compliance)
Compliance checklists are definitely important, with standards such as those established by PCI, NIST, and others forming a sound basis for what a security posture should look like. Yet, all too often we look to these checklists as a sort of “cure all” for our security woes. If we somehow meet every step and check off every last little box, we are sure to be invulnerable. We complete the checklist and announce proudly “Our environment is secure!”. At some point the goal becomes to complete the checklist at all costs, and it is here that the Cult of Compliance is established.
遵从性清单绝对是重要的,诸如由PCI,NIST和其他标准建立的标准构成了安全态势的良好基础。 但是,我们经常将这些检查表视为一种“万事俱备”的安全问题。 如果我们以某种方式满足每一个步骤,并勾选最后一个小盒子,那么我们肯定是无敌的。 我们完成了清单并自豪地宣布“我们的环境是安全的!”。 在某个时候,目标变成不惜一切代价完成检查清单,并且在这里建立了合规文化。
Instead of looking into exactly how we complete a checklist we get caught up in checking boxes. Scenarios like these become common:
与其确切地研究我们如何完成清单,不如将其陷入复选框。 像这样的场景变得很普遍:
- Does this even connect to the network? “Who cares?! Lock it down.” 这甚至可以连接到网络吗? “谁在乎?! 锁定它。”
- The IT team is small. “They better have separate credentials for everything! Wouldn’t want the bad guys getting access!” IT团队很小。 “他们最好对每件事都有单独的凭据! 不想让坏人获得访问权!”
- Does the organization have layered alarms, security guards, and inventory control systems? “That doesn’t matter! Better put locks on those servers.” 组织是否具有分层的警报,安全防护和库存控制系统? “没关系! 最好在这些服务器上加锁。”
- Are the locks defeated with ease? “They exist! We’re compliant.” 锁是否轻易被击败? “它们存在! 我们符合要求。”
The first scenario accomplishes nothing more than making the job of on-site administrators more difficult, while doing little to actually defend against physical access. The second will often lead to admins reusing credentials to make their day-to-day life easier, defeating the purpose of separate logins. The last two result in potentially redundant expenses, as while locks are good they don’t do much against an attacker capable of getting past all those other layers of physical security. Checklists are great, but the intent must be followed, or they might impact operations for little or no actual gain at the end of an expensive process.
第一种情况仅能使现场管理员的工作更加困难,而实际上却无法抵御物理访问,因此无济于事。 第二种情况通常会导致管理员重复使用凭据,使他们的日常工作变得更轻松,从而无法实现单独登录的目的。 最后两个导致潜在的冗余费用,因为锁是好的,但对于能够越过物理安全的所有其他层的攻击者而言,锁却作用不大。 清单很棒,但必须遵循清单的意图,否则清单可能会在昂贵的流程结束时以很少或没有实际收益的方式影响运营。
不可能的安全性“为什么要打扰?” (Impossible Security “Why Bother?”)
In the opposite camp from the Cult of Compliance, some organizations see security as an impossible task. The plethora of requirements to approach compliance is a daunting mountain to tackle with small budgets, or in the face of rapid-fire development timelines. Thus, we give security a lower priority. Tasks that are simple to complete if given the thought fall by the wayside, or potential, alternative means of security are ignored.
在“合规崇拜”的对立阵营中,一些组织将安全视为一项不可能的任务。 接近合规性的大量要求是艰巨的任务,需要用很少的预算来解决,或者面对快速发展的时间表。 因此,我们将安全性置于较低的优先级。 如果简单地考虑到想法,容易完成的任务将被忽略,或者潜在的替代安全方法将被忽略。
- Weak passwords/lack of multi-factor authentication. “This 6 character logon is only known by our devs.” “Our users can’t be bothered to input a second code to log in.” 密码不足/缺少多因素身份验证。 “这6个字符的登录只有我们的开发人员才能知道。” “我们的用户不必输入第二个密码即可登录。”
- Lack of backups/redundancy or load testing “Why do we need to buy more than one of these?” “Our system works well enough. Get it in production!” 缺乏备份/冗余或负载测试“为什么我们需要购买其中之一以上?” “我们的系统运行良好。 投入生产!”
- Checking for unintended functionality “This meets customer requirements. Send it!” “Who would want to put anything other than a number in this box?” 检查意外功能“这符合客户要求。 发送!” “谁愿意在此框中输入数字以外的任何内容?”
These scenarios leave systems open to plenty of different problems. Brute force password attacks, command injections, or even a simple power outage! Such scenarios can be avoided by placing the focus not on what remains to be done to obtain a secure or stable system, but what could already be in place.
这些情况使系统面临许多不同的问题。 蛮力密码攻击,命令注入,甚至是简单的停电! 可以通过将注意力集中在获得安全或稳定的系统而不要做什么上,而将注意力放在已经存在的位置上来避免这种情况。
工作完成或“我们已经有一份!” (The Job is Done or “We’ve already got one!”)
Overconfidence is a slow and insidious killer. Having a functioning system, or purchasing a product made to do a particular function can lead to a false sense that the task of handling a given problem is over.
过度自信是缓慢而阴险的杀手。 拥有功能正常的系统或购买要执行特定功能的产品可能会导致错误的感觉,即解决给定问题的任务已经结束。
- Does our system have antivirus? “That must mean we’re protected from malware.” 我们的系统是否装有防病毒软件? “这必须意味着我们受到了恶意软件的保护。”
- Do we have backups? “There’s no need to worry about losing our data.” 我们有备份吗? “无需担心丢失我们的数据。”
- We passed our security audit! “That must mean we are secure.” 我们通过了安全审核! “那必须意味着我们是安全的。”
- Our system can do that, right? “Why would we invest in dedicated solutions?” 我们的系统可以做到,对吗? “我们为什么要投资专用的解决方案?”
Software such as an antivirus system must be updated to protect against new threats. Operating systems and other applications that are out of date risk the exploitation of a known bug. The most problematic of these scenarios could be when included functions are used to cover more than they were intended for. This can result in an eventual breakdown of the supported function, and not usually at a convenient time for a production environment.
必须更新诸如防病毒系统之类的软件,以防御新的威胁。 过期的操作系统和其他应用程序有利用已知错误的风险。 这些方案中最有问题的可能是所包含的功能用于覆盖超出其预期用途的情况。 这可能会最终导致支持的功能崩溃,并且通常不会在生产环境的方便时间出现。
As a prime example a client once declined a dedicated virtual server management solution in favor of using an on-board manager because it was cheaper. While this worked fine for the first couple months the environment was quick to outgrow the capabilities of the manager. While the system struggled to cope with more data and active applications than it could handle entire critical functions became unstable. Maintenance man hours increased a hundred fold and they frantically purchased new hardware to try and force the square peg they had created into an appropriate circular hole. From a security standpoint they had done more financial damage than any attacker could in years.
举一个主要的例子,客户曾经拒绝使用专用的虚拟服务器管理解决方案,而是选择使用板载管理器,因为它更便宜。 尽管在最初的几个月中效果很好,但环境很快就超出了经理的能力。 当系统努力处理更多数据和活动应用程序时,它无法处理整个关键功能变得不稳定。 维修工时增加了100倍,他们疯狂地购买了新的硬件,以试图将所形成的方钉推入合适的圆形Kong中。 从安全的角度来看,他们造成的经济损失比攻击者多年来所能承受的还要多。
前往云端 (Head in the Cloud(s))
With the rise of cloud computing the next big trend has been to move part or all of an organization’s IT functions to somewhere offsite. This has several benefits, of course, including an up-front investment that is often smaller than purchasing hardware, increased disaster recovery functions and more! Where this can become an issue is when functions moved to the Cloud are simply activated or utilized, and then forgotten. The security of these functions is often taken for granted and we need only look to information breaches in the past year for two prime examples:
随着云计算的兴起,下一个大趋势是将组织的部分或全部IT功能移至异地。 当然,这有几个好处,包括前期投资通常比购买硬件要少,增加的灾难恢复功能等等! 可能会成为问题的地方是何时简单地激活或利用移至云的功能,然后将其遗忘。 这些功能的安全性通常被认为是理所当然的,我们只需要看一下过去一年中的信息泄露事件,这是两个主要的例子:
Capital One, July 2019–100 million records-Amazon Web Services
第一资本 ,2019年7月– 1亿条记录-Amazon Web Services
Facebook, April 2019–540 million records-Amazon Web Services
Facebook ,2019年4月– 5.4亿条记录-Amazon Web Services
In both cases applications hosted by Amazon had information stolen from them through relatively simple means. The hosting servers themselves were secure, but the compromised applications allowed access to sensitive customer data with little or no authentication to stand in the way.
在这两种情况下,Amazon托管的应用程序都可以通过相对简单的方法从中窃取信息。 托管服务器本身是安全的,但是受到破坏的应用程序允许访问敏感的客户数据,而很少或根本没有身份验证。
大家都是斯诺登 (Everyone is Snowden)
Especially in the U.S., the leaks of NSA information by Edward Snowden brought into sharp focus the threat that someone inside an organization might pose to its security, digital or otherwise. A disgruntled employee or rogue system administrator has the potential to cause absolute chaos if not properly kept in check. If these checks are taken to extremes, they risk generating massive amounts of procedural overhead for an organization. Staff performing otherwise simple tasks find their workloads ballooning as they must pass one security check after another. Jobs that typically would require minimal staff grow exponentially as a separation of responsibilities means more and more people need to be involved at each step.
特别是在美国,爱德华·斯诺登(Edward Snowden)泄漏的国家安全局(NSA)信息使人们更加关注组织内部某人可能对其数字安全或其他安全构成的威胁。 如果没有妥善检查,心怀不满的员工或恶意系统管理员可能会造成绝对混乱。 如果将这些检查极端化,则可能会给组织带来大量程序开销。 执行原本简单的任务的员工发现工作量激增,因为他们必须一次又一次地通过安全检查。 由于职责分离,通常需要最少人员的工作呈指数增长,这意味着每个步骤需要越来越多的人参与。
If the friction becomes too great it can actually lead to the creation of insider threats. Professionals who find their work questioned at every turn become understandably frustrated with the bureaucracy. Employees who are treated as threats, after all, are unlikely to appreciate the sentiment that they should protect company data from themselves. People also tend to be lazy, and if something is too much of a hindrance a work-around will be found as a sanity preservation if nothing else. To prevent falling into this situation an organization’s security posture should be carefully examined for sources of this kind of friction. Security is important, but security that only gets in the way of the job getting done won’t remain intact for long.
如果摩擦变得太大它实际上可以导致产生内部威胁。 毫无疑问,发现自己的工作受到质疑的专业人员对官僚机构感到沮丧。 毕竟,被视为威胁的员工不太可能意识到他们应该保护公司数据免受自身侵害的情绪。 人们也往往很懒惰,如果有太多的阻碍,那么如果没有其他选择的话,可以找到一种变通方法来保持理智。 为避免陷入这种情况,应仔细检查组织的安全状况,以寻找这种摩擦的来源。 安全性很重要,但是只会阻碍工作完成的安全性不会长期保持不变。
翻译自: https://medium.com/swlh/the-evil-within-security-practices-that-destroy-from-the-inside-beb32423d844
4374
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
