When 'convenience trumps security'

When it comes to prioritizing IT security solutions, "convenience trumps security, but embarrassment trumps convenience."

That's the rule of thumb offered by Alan Paller, director of research at the SANS Institute, and a guest speaker at FOSE 2007 today. He said that organizations are investing in security solutions sometimes to address material weaknesses, but frequently in response to the crisis du jour.

This rule can be seen at work in the most recent results of an ongoing survey conducted by SANS of what about 1,000 organizations consider their purchasing priorities.

Tops on the list? Laptop encryption, with 25 percent of respondents listing it "because of the head of the [Veterans Administration] looking like he was being torn apart during his congressional testimony," and no one wants to follow in those particular footsteps, Paller said.

Similarly, log management was cited by 23 percent of respondents, but Paller said it was being acquired in response to "three or four laws ... so they can say to regulators that they've done it."

Rather than look at purchasing plans, according to Paller, there is a specific collection of security challenges that should be driving resource allocation.

"There are five problems at a critical level," Paller said. "If we don't solve them, we can't trust the computers." Fortunately, there are technological approaches that can be applied to each.

The problems, and possible solutions:

• Federal systems are deeply penetrated, by hackers and other hostile interests; to address this, Paller advocates training and "inoculating" users, running exercises targeting one's own users and seeing how many people fall for the ploy.
  
• Patches can't be installed before attacks are launched against vulnerabilities, and
  
• Botnets are so pervasive and powerful, they can send billions of spam messages and deny Internet service to almost any organization; there is no real solution for these two other than implementing common, secure configurations for computers, and denying all users access to any system administration powers.
  
• Personal data is being lost on a massive scale, whether on laptops or through extrusion; while laptop encryption is well known and a popular answer, Paller said, content filtering and search functions that monitor a computer's contents and what data it transmits are rising sharply.
  
• Programmers are still making major security mistakes; Paller said he has personally spoken with the heads of every major computer science department at colleges and universities around the country, and they dismiss the idea of teaching about the pitfalls of "buffer overflow," for example, because "we aren't vocational trainers." To address this, some organizations are developing online exams and certifications, testing programmers' ability to find flaws in actual code.