Do as I Say, Not as I Do
By Andrew Hay
Security professionals have a duty to promote security in the enterprise. In fact, most professionals take on the role of a â€œsecurity heraldâ€ for their organization or customer quite seriously. At the end of the day, however, many practitioners pack up their things, make their way home, and completely throw all of their beliefs out the window.Â
“There are no exceptions to the rule that everybody likes to be an exception to the rule.” – Charles Osgood
The sad and unfortunate truth is that security professionals do not always practice what they preach. Think about it for a minute. Do you employ best practice password retention and complexity requirements on your home computers with the same zeal that you promote while on the job? How often do you change the passwords on your, and your families, systems? You might backup your sensitive files but do you ever perform data restoration exercises to ensure the integrity of your backup and restore procedures?
I’m willing to be that most of the people reading this article are thinking “Sure I relax a bit at home but my systems aren’t as threatened as those at my customers or organization“. Well guess what? You’ve just argued the same point that every security professional has had to argue with their customers or business decision makers at one time or another. The only difference is that the statement usually goes something like “Well those passwords are too complex to remember…” or “Well I just changed my password last month and I’m running out of ideas for new passwords…” or, my personal favorite, “Well our backups have never failed before…“
“The internet is a great way to get on the net.” – Bob Dole
Â The fact of the matter is people don’t think that they are as susceptible to threats as the next person, and we security professionals are some of the worst offenders on the Internet today. We expect our words to be headed but fail to practice what we preach on a day-to-day basis. Here is a fantastic real life example. Your organization leverages a proxy server that is deployed to protect all employees from malicious scripts and inappropriate content on the Internet. The company policies and procedures all dictate that anyone who requires a connection to the Internet is forced to pass through this proxy. You, as the all-knowing security professional, decide that the proxy server, although a fantastic technical control for the average user, is too much of a hindrance to your daily surfing. With a few clicks you white list all sites for your machine, or in your infinite wisdom, completely bypass the proxy entirely for a straight unhindered connection to the glorious Internet. Those of you who have a “sweet setup” such as this are probably thinking, “W
hat’s the problem with that? I don’t need the proxy to protect me from the evil tubes!“
Â â€œHow glorious it is – and also how painful – to be an exception.â€ – Alfred De Musset
First and foremost, congratulations on being the best Internet user in your own mind. Secondly, weren’t those policies and procedures created to encompass all users of your network and not just the â€œspecial fewâ€? Sidesteps of this nature diminish the purpose of security programs in th
e first place. In order for a security program to be effective it MUST apply to all users in the infrastructure without exceptions.
“An idea is worth nothing if it has no champion” – Anonymous
The next time you feel hindered by a security control, take a step back, think about why controls are in place, and think how you would feel if you knew another user was violating the security policies that you champion.