Sunday, April 15, 2012

Do you actually care or do you just want a good feeling?

Since I started working in ITSec, there was this thing that was not clear to me but bugged me often. It looked like most companies understood that they were or could be victims of fraud, but their actions to deal with it were going from weird to good.

The other day, while listening to a freakonomics podcast on my way from work to home it hit me. The podcast was about hybrid cars and why one car is very popular and the rest not so popular. The deal was that the "green" popular car was well known because it looks completely different from the other cars so it could be differentiated. So what you are buying is mostly image, or how you feel about what others think of you.

Back to ITSec. I wondered why people are still buying stuff going from cheap to verrrry expensive technology and sometimes it does absolutely nothing. The "yes, lets buy this box/app, and all our problems will be gone" attitude is according to me very similar to the popular hybrid car.

The majority of the organizations buys stuff to have a clean conscience. Let me explain that hypothesis.

The chance of being a victim online for any organization is quite real. Most solutions work partially against old attacks if they are configured correctly. Since organizations constantly change they are usually not configured correctly. In case of an event, the organization can say, well it is not our fault. We had antivirus, next generation firewalls, web application firewalls,  IDS/IPS, ... you recognize this pattern?

The question actually is did you spend all that money on those things to sleep better at night (aka a nice sales girl or smooth talking guy convinced you when presenting that product)?

If you are the man in charge and reading this, I am not telling you not to buy anything just because you want to sleep better at night. Security starts with small things that you can implement without spending huge amounts of money.

An example for the skeptics: Do you thing everybody should be able to access the payroll data and change it or should there be a procedure in place to log who accesses it, when, why, ... . You might think this is a bogus example but recently there have been cases around the world were fake employees where created and money stolen from companies.

Another example if you are still not convinced. We live nowadays in a world where every event leaves a log trace.  Most logs are just kept for compliancy reasons but actually not for mining them to see what value they can give you. If one of your employees is on a abroad mission and there is a login event from one IP and the next login there is a login event from the other side of the globe, and in the time span between the two logins is not possible to be at the other place, you know you have a problem. You see this costs almost nothing, as an employer you know where your employee is and with some GeoIP and timetables you should be able to do the math quite easily.

My advise is to spend your money wisely, it is a scare resource. Look at the easy stuff first, the things you already have so that you have your basics covered instead of having a good feeling because you got things other people want and so they will try to get it from you.

Ow and just one more thing, what works today is not necessarily working tomorrow, bad guys adapt too. Review what you do, its success rate and share the information with your competitors and CSIRTs because they will give you there information so you can use that to build better defenses.