Givem 'em enough rope

I mentioned on Twitter that having worked in relatively unrestricted environments (higher ed) and in highly restricted environments (banking) and in between, that in my experience, those environments with more draconian policies have better security.

No sooner than I hit "Send", I realized I should have also said "controls" because policies by themselves are pretty lousy security controls.

Since Twitter is less than ideal for elaborating on, well, much of anything, let me explain what I mean, for those who may not agree.

Most of my work in information security has been in the incident response and forensics space, with a few years in application security -- I'm a recovering developer.

During my time in higher ed, most users ran as admin and could install whatever they wanted, whenever they wanted. They could browse to any web site of their choosing. This is the "give 'em enough rope" approach to information security. The problem is that this doesn't just lead to the users hanging themselves. Shops operating in this manner are giving their employees enough rope to hang the entire organization.

During my tenure in the financial sector, few people ran as admin, application whitelisting was in effect for most people and web content filtering kept most people from browsing to known-malicious or "inappropriate" domains.

The results of these two disparate approaches was striking. Higher ed was an incident responder/forensic investigator's dream job as there was never a shortage of interesting work. By contrast, the bank didn't have any full time incident response and forensics folks. During my two years at the bank, we had less than a handful of issues and they were all drive-by-downloads from rogue advertisements on mainstream web sites.

I believe most organizations could greatly improve their security and reduce costs by taking away internet access for those employees that don't need it and greatly restricting internet access for those who do need it. It's unpopular, it's draconian, but it works.

Don't let your users run as admin. I can't believe we're still seeing this as much as we are. If you have some users who need admin access, give them separate accounts to use when they need that level of access.

Whitelisting. It sucks. It's a horrible pain for the users and those who have to maintain it. Before I worked in an environment that used it, I dismissed it completely. But as much as it sucks and is painful to implement and maintain, it will reduce the number of security incidents that you have to deal with. Note, if you take away your user's admin rights, you may not need whitelisting.

I've said almost nothing of application security, but this is another area where more restriction leads to greater security. Limit your developers access to production environments, don't let them adapt new technologies/frameworks/libraries without first taking the time to review the security of those technologies. Don't let devs move forward on projects until threat models have been developed and threats have been addressed. Don't let code go to production without some type of review, don't push applications to prod without security testing those apps, etc.

Yes, this is expensive and time consuming, but in my opinion it's a pay now or pay more later scenario. Spending thousands up front may save you from spending hundreds of thousands after a breach.

Will all of this save every organisation 100% of the time? No, but it will significantly reduce the number of incidents. Will it be popular with employees? No, but watching Double Rainbow Song is probably something they should do on their own time and on their own computer.

Security will never be perfect, but a big part of the reason it is as broken today as it is, is because we haven't made the unpopular decisions that need to be made.