Overheard (while walking the floor at RSA): Cybersecurity is about risk discovery, prevention, and mitigation. Manage all of the impending threats and you’re good.
Well, reality begs a different perspective. Given the ever-increasing enterprise asset inventory, the multitude of attack vectors that an organization is exposed to and the hyper-dimensional nature of the attack surface, where do you even start? On March 30, Dr. Anton Chuvakin (@anton_chuvakin) launched a Twitter discussion that asked InfoSec contributors to “name your favorite security advice that is correct in theory but practically not done or not even doable.”
Name your favorite security advice that is correct in theory but practically not done or not even doable? "Encrypt everything", "patch fast", "classify all your data", "know your environment well", etc. #fun— Dr. Anton Chuvakin (@anton_chuvakin) March 30, 2020
Clearly a topic of interest, it has sparked almost 230 comments so far. Here is a sampling of some of the “good but impractical” and “downright impossible” solutions being debated on this Twitter thread.
Always, Never, Nothing, Everything
Global statements like these can be aspirational and effective at making key points, but they’re not really practical as real-world goals. And there were a lot of such examples being shared.
- Everyone owns security.
- Secure everything; trust nothing.
- Don’t click on anything.
- Automate everything.
- Stay offline.
- Keep complete and accurate inventories
- Know all your assets.
- Write secure code.
- Keep all your current applications.
- Patch fast, patch everything.
- Quantify all your risks.
- Only use complex and unique passwords, not written down anywhere.
Here’s what security professionals working in the trenches have to say:
Don’t Click on Anything
“S**t, just clicked Like.”
“Which most users will do automatically when visiting a new website and get the popup which says, ‘Accept Cookies’ … only there is something bad lurking behind that button.”
“Verify the URL, every time. Thousands of times, everyday!
“Complex passwords. Perfect theory until it meets the reality of how attacks work and how users work.”
“One pet peeve of mine is ‘inventory everything.’ That’s fine for assets but is that covering software? All executable code? Plugins/addons/extensions within apps? 0-trust?”
“In my opinion, not possible and may not be really necessary”
“The problem with this is it’s actually necessary, but not really possible :)”
Educate the average user on best practices. Will never work. If we want to improve security, we need to implement controls that protect users from themselves.
Secure All Computers
“The only secure computer is off in a physically secure faraday cage. Not untrue but still not helpful.
Principle of Least Privilege
“It has been suggested by a good half a dozen people so far. I wonder what makes this one of the top contenders for the “good-but-useless’ prize?”
“I agree with you, that does make it a top contender.”
Design for Security Up Front
“Is design for security a ‘practically not done’ and/or ‘not even doable’ and why?”
“More the former than the latter. Most devs aren’t trained to think about security until a vulnerability drops. And in the battle between new features and security, new features usually win.”
“I mean, if ransomware has shown us anything it's that encrypt everything is pretty easy. Decrypt everything not so much.”
In the words of one of the commenters, “I gotta say, I'm reading some of these that I've done. Fact is that security engineering takes a lot of imagination and coordination with systems and network teams who are competent. I think the problems people have with these are business relationship, not technology.”
Another commenter agrees, “Not doable to what degree? Can’t think of advice that would not be worth doing to some degree. Absolutes suck. Do things to a level until cost of going further outweighs the benefit. Then do something else. Keep picking those low hanging fruits!
The bottom line? There’s plenty of security advice out there. However, absolutes like (never, always...) need to be aspirational and not taken literally. Security strategies and controls need to fit the way organizations and people work.
Generalizations need to make way for specific security practices that are reasonable and doable. Start with low hanging fruit and move up from there. Understand what your current security posture is, where the gaps are, and where you need it to be. And then fine-tune your security program and move towards transforming your security posture and increasing cyber-resilience.