Rake Narang: What are some of the most common but critical mistakes still happening in IT security?
Philip Lieberman: It seems that many IT shops continue to make the same operational mistakes year after year with the same negative consequences.
Many recent serious breaches were the result of the unhealthy and risky practice of removing isolated silos of information and combining them into single large databases which are then connected or accessible to the Internet or via systems that are subject to compromise. The concept of isolated silos of information with their own security and access is a time proven approach to security. Unfortunately, in an attempt to reduce costs and improve convenience, systems that should never have been connected to the Internet, or accessible by systems connected to the Internet, have been compromised -- leading to large and embarrassing data losses. Silos are good and air-gapped silos are sometimes the only way to secure some data. They are inconvenient, but so is the loss to the company of a compromise.
Among these bad behaviors is setting common Superuser and administrator accounts on multiple (or sometimes all) systems to the same never changing password. This Common Credentials Dilemma means that if one machine becomes compromised and its internal password(s) discovered (look up Rainbow Table Attack on a search engine), any common account/passwords can be used to access other systems. This is one of the ways that viruses such as Conficker spread.
Even if there are no issues with Conficker, the existence of common passwords on multiple systems means that any existing or former IT staff member with this knowledge has access to more machines than they need or should have access to. Consider that if there are common credentials and an employee with this knowledge leaves the company, these same never changing credentials mean that they will still have administrator access whenever they want.
Another issue is the use of spreadsheets with passwords that get spread throughout the organization. Typically these passwords never change and there is little to no accountability as to who does what with this information. Anyone who sees one of these passwords typically has unlimited access to do as they wish with the information.
The convenience of spreadsheets and common credentials make it easy for IT to do their jobs, but unfortunately this convenience removes accountability and potentially can lead to mass destruction of systems. Solutions exist to remove common credentials, convert spreadsheet data to a secure and controlled data store, and systems exist to require password checkouts and perform automatic password changes without outages. Unfortunately, many C-level executives don’t implement these systems and allow IT convenience to trump the long term security of the organization so that IT can be more convenient.
Rake Narang: Why does the overall security landscape appear to be getting worse instead of better?
Philip Lieberman: Security has gotten worse due to the perception of management that IT security is a cost center that must be relentlessly cut due to its services being nothing more than generic and fully replaceable by the lowest cost contractor that can be found. This has resulted in IT being a poor place to work and being an even worst career choice for many. This has also translated into the conversion of masses of loyal and knowledgeable employees into contractors that are moved and/or cut resulting in the loss of collective knowledge and wisdom in running IT.
Another disturbing trend has been the cavalier adoption of cloud based solutions with little regard to security by customers and total short shrift by many cloud providers. Cloud providers have hidden behind such inappropriate standards as SAS70 and self-directed audits. Even when such audits are reviewed by customers (and they are rarely read) customers would be shocked to find that the phrase “we conform to industry norms and best practices” actually means "we have nothing in place for security and that is the norm for all of us."
In general, when it comes to security, there are no free lunches and the relentless attempts to reduce costs and embrace the latest silver bullet of cloud based services will lead to even more reduction in security and ever greater consequences. The next great thing in IT to reduce cost, make data available, and applications slick, may be a silver bullet in a gun pointed at the temple of the corporate brain ready to go off at any time.