How do you sleep at night?
is what I often hear when people ask me about how complex things have become with cyber-security. Indeed, things have become more complicated; yet we can’t just not use computers because staying safe is more complicated.
So I though I’d document a few ideas I have had about this that may be helpful:
1. Don’t ever be fooled to think you are in control. I have long believed that there is a lot that goes on on networks that people do not know is going on. The reality: there is no practical way to control everything.
2. Awareness and education is half the battle. The more your users are informed about risks and how to react to a situation, the easier things will be.
3. Be a quick follower not on the bleeding edge. Being on the bleeding edge is expensive and gives a false sense of security (I have the “best tools” tuned to the “latest attacks” – so what!? There’s about a million new ones about to hit you). Conversely, not keeping up with the basics is the equivalent of leaving your home’s front door open with a neon sign letting people know when you are out. Just stay on top of patches, basic safety measures/controls.
4. Understand your “attractiveness”. Why would someone else be interested in your information/computers/network? Can they make money, get bragging rights, use your infrastructure as a relay to have bad deeds attributed to you? Whatever it is, be aware of it and act accordingly: if something is of low value, don’t try to protect it with national defense grade controls.
5. Don’t put too much value in perimeters, but rather focus on partitions/zones. I was never able to find the source of the following statement about firewalls (which incidentally explains how I feel about perimeter based approaches):
firewalls make your infrastructure crunchy on the outside and chewy on the inside.
Instead focus on zones/partitions and require that “participants” (humans or machines) be able to prove their credentials at any/all times.
Open for comments…