Security threats and counter measures
All too often as an Infrastructure Architect I found myself subject to lobbying by security professionals and product vendors to provide ever stronger security counter measures into my solutions. Inevitably these counter measures had a detrimental effect on end user experience so I was always keen to see evidence of the types and level of threat that could be fed into a risk assessment. Unfortunately I rarely got to see this threat analysis and almost never saw it in a form that would allow me to do a meaningful risk analysis, so I was often in the uneasy position of following “policies”, rather than doing analysis. I was never happy that the policies had a good risk analysis to support them either. So it’s nice once in a while to come across an article that includes some description of the threat.
To give you some idea as to why I worry about the automatic application of policy as a substitute for analysis, here are a few of my personal experiences:
- I have only ever had one virus in my 20 years of using computers, and I would not describe myself as risk averse in my usage.
- That virus was the result of a network attack from a device on my companies network on a Virtual Machine that was in the process of down-loading its first set of security patches from Microsoft Windows Update
- I don’t get very much spam
- The spyware tools on my PCs have only ever found false positives
- I have always felt that the biggest security risk by orders of magnitude on a reasonably secure corporate network is people leaving a company to go and work for a competitor, combined by a USB mass storage device like an IPOD
- The next biggest security risk is a wireless access point hidden under a desk or similar, and rarely ever detected
- The biggest virus outbreaks I have seen have always bypassed all of the specialist defensive tools, but all could have been stopped by a combination of software execution restrictions policies in XP, the ability to rapidly deploy simple agents to every PC, the ability to immediately make all network drives read-only, the presence of a local firewall on all PCs and servers. These are all general purpose tools to have in the kit bag.