Hi there. My name is Dmitry. That’s not my real name, but that’s OK. I have more than 10 years of experience in IT Security. I’ve worked for or consulted with many, many large organizations. There are tons and tons of blogs that are dedicated to ‘Security Research’. These blogs, while technically very interesting (to the point of distraction, actually), don’t really help anyone get more secure. Or, if they do help, it’s the raw side of the 80/20 rule (i.e. teaching you to spend 80% of your time solving 20% of the problem). The purpose of my ‘blogging’ is simply to tell the truth about the current state of the Security Industry. Over the course of the next few months, I hope to enlighten at least a few readers into thinking about the difference between perceived security and actual security. So, without further ado:
I ignore XSS bugs. I also ignore most SQL Injection, HTML Injection, header-injection, directory traversal, file upload, and other flaws. In 6 years, the network that I protect has only had two (2) compromises. And, to put things in perspective, the network has 90,000 internal nodes and roughly 400 external IP addresses (DMZ addresses). My budget last year was roughly 3 Million dollars (not a lot, given a staff of 12-15 full timers as well as contractors and part-timers).
You might think that I have a ton of neat toys that keep us safe? Nope. In fact, I don’t have *any* gee-whiz technology. I shun them (more on that later). There is no IPS on my network. I don’t have any software which automatically quarantines worms or trojans. I’m not running host-based anomaly detection. In short, I don’t stay safe by spending millions of dollars on network security equipment and software.
So, maybe I have a crack staff of reverse engineers, TCP/IP ninjas, shellcoders, and vulnerability experts? Nope. The average employee age is 40+. Most of the Security personnel are older IT personnel culled from disparate groups (Mainframes, Rexx programmers, EDI, Sys Admins, HR, Corporate Security, etc.). In short, our technical expertise is probably considerably lower than most other (similar) groups.
Given all this, I’m still not surprised that we have better Security than most other Fortune 100 companies. What’s our ‘magic formula’? It’s easy. We have a strong POLICY and we effectively COMMUNICATE and ENFORCE the policy. This doesn’t mean that we’re policy whores, quoting ISO17799 like its the infallible word. We created a policy which matches our business drivers and infrastructure. Period. It works for us. It might not work for any other single company but it works for us. And, at the end of the day, RESULTS are worth a ton more than INTENTIONS.
In the weeks to come, I hope to enumerate on some “Computer Security Fallacies” (TM)…or, commonly accepted methodologies which are inherently prone to failure. To wrap up this Introduction, I’d like to say that if you don’t have a custom POLICY which has been COMMUNICATED and is being ENFORCED, go ahead and stop reading about that XSS flaw which affects maybe 20 users worldwide. Throw away that stack of vendor slicks. Stop sorting your IDS logs. You’re fussing over a scrape on the knee and ignorning a sucking chest wound.