February 17

Do as I Say, Not as I Do

By Andrew Hay

Laptop MegaphoneSecurity professionals have a duty to promote security in the enterprise. In fact, most professionals take on the role of a “security herald” for their organization or customer quite seriously. At the end of the day, however, many practitioners pack up their things, make their way home, and completely throw all of their beliefs out the window. 

“There are no exceptions to the rule that everybody likes to be an exception to the rule.” – Charles Osgood

The sad and unfortunate truth is that security professionals do not always practice what they preach. Think about it for a minute. Do you employ best practice password retention and complexity requirements on your home computers with the same zeal that you promote while on the job? How often do you change the passwords on your, and your families, systems? You might backup your sensitive files but do you ever perform data restoration exercises to ensure the integrity of your backup and restore procedures?

I’m willing to be that most of the people reading this article are thinking “Sure I relax a bit at home but my systems aren’t as threatened as those at my customers or organization“. Well guess what? You’ve just argued the same point that every security professional has had to argue with their customers or business decision makers at one time or another. The only difference is that the statement usually goes something like “Well those passwords are too complex to remember…” or “Well I just changed my password last month and I’m running out of ideas for new passwords…” or, my personal favorite, “Well our backups have never failed before…

“The internet is a great way to get on the net.” – Bob Dole

 The fact of the matter is people don’t think that they are as susceptible to threats as the next person, and we security professionals are some of the worst offenders on the Internet today. We expect our words to be headed but fail to practice what we preach on a day-to-day basis. Here is a fantastic real life example. Your organization leverages a proxy server that is deployed to protect all employees from malicious scripts and inappropriate content on the Internet. The company policies and procedures all dictate that anyone who requires a connection to the Internet is forced to pass through this proxy. You, as the all-knowing security professional, decide that the proxy server, although a fantastic technical control for the average user, is too much of a hindrance to your daily surfing. With a few clicks you white list all sites for your machine, or in your infinite wisdom, completely bypass the proxy entirely for a straight unhindered connection to the glorious Internet. Those of you who have a “sweet setup” such as this are probably thinking, “W

hat’s the problem with that? I don’t need the proxy to protect me from the evil tubes!

 “How glorious it is – and also how painful – to be an exception.” – Alfred De Musset

First and foremost, congratulations on being the best Internet user in your own mind. Secondly, weren’t those policies and procedures created to encompass all users of your network and not just the “special few”? Sidesteps of this nature diminish the purpose of security programs in th

e first place. In order for a security program to be effective it MUST apply to all users in the infrastructure without exceptions.

“An idea is worth nothing if it has no champion” – Anonymous

The next time you feel hindered by a security control, take a step back, think about why controls are in place, and think how you would feel if you knew another user was violating the security policies that you champion.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. At first blush I became a bit indignant but I then realized I do practice what I preach… in fact, we have instituted rigorous change control to the point where there can be no exceptions without going through an exception process. Every change that is to be completed is run through a series of approvals and is compared to existing policy. In addition, we regularly audit configurations looking for exactly the kind of end-around configurations you describe (and yes, we do find them).

    I guess the moral of my long-winded reply is that with a good security policy, proper CM and audit we can “eat our own dog food” by setting up checks and balances (watchers for the watchers if you will).

  2. I like what you have to say and agree with many of your points. However, I believe you’re mixing two different concepts in order to make your points: 1) security pros in the work vs home environment and 2) how others react to security controls/policies.

    Regarding 1) security pros are people just like anybody else and have to manage their own time/lives given the risk environment. Indeed, it means that home security practices are not as thorough as they are at work. But I would argue that this is just the way it should be. At work, you are paid for your time (and your security input), presumably to help the business in its profitable endeavors. At home, you are primarily liable only to yourself and your family for food & shelter. If your spouse or your family could pay your security salary to monitor and enforce enterprise-class controls at home, why would you go to work at all. The level of security needed at home cannot be the same as required at work as both the risks and the users are vastly different.

    Regarding 2) security pros are people just like anybody else and have to lead the way by acting within the confines of well established security parameters (i.e. policies). Of course, as you pointed out, if those parameters are too strict, you will often find that the IT and/or security folks grant themselves shortcuts which potentially weaken security of the entire organization.

    As a faculty member, I have the unique privilege of being able to shape young minds by providing insights into security best practices. However, I never pass an opportunity to cover the meaning of good governance and the necessity for balanced security controls that work for everyone, including IT.

  3. Great post and some well pointed insights.

    There is another element that people often forget in this type of argument. If an attacker is to select your organisation as a potential target they very often take a holistic approach to how they plan their attack. Attackers like water will always take the path of least resistance. It does not take much effort to identify key personnel within an organisation, e.g. CEO, CIO, CSO, IT staff etc. Targetting these individuals’ home PCs can provide very rich pickings;
    How many of the above people work on corporate data on their home PCs?
    How many of the above people use different passwords for personal and work use?
    How many of the above people have VPN connectivity to the corporate LAN form their home PC?

    So I would argue that as information security professionals we have a duty of care to ourselves and our families sensitive information, and to our employers to be always “switched on”.

    As Thomas Jefferson said “The price of freedom is eternal vigilance”

  4. I have seen this a lot with my colleagues. Thankfully, I can say for the most part that I practice what I preach at home. But since it’s my IT environment I get to make the rules. And if I deem something to be unnecessary then I don’t lose any sleep over it.

  5. True…. take this simple test: Do you use your all powerful admin level account on your laptops to do everything from browsing blackhat to reading emails. Are you using it now? I understand real pros regularly spend their time rebuilding their lab PC, but the rest of us…..

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!