The one essential truth of computer security

From InfoWorld

Who doesn't love that scene in "A Few Good Men" in which Jack Nicholson's character tells Tom Cruise's character, "You can't handle the truth. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, and then questions the manner in which I provide it. I would rather you just said 'Thank you' and went on your way."

I often feel like I'm acting out that scenario when speaking to CIOs and senior security leaders. They want me to tell them how to stop hackers and malware from invading their environments. Usually I'm consulting on some multitiered firewall/proxy/security solution aimed at protecting back-end databases. We talk about packet-inspecting firewalls, intrusion detection, two-factor authentication, and all sorts of high-tech defensive solutions that add several layers to their defense-in-depth protection.

Then I say something like, "That's all great, but it won't work." I usually have their attention by then.

Next, I throw out the inconvenient truths:

• Most of today's security risk in the average computing environment comes from "drive-by downloads" -- that is, trusted insiders get infected by Trojan software that they were tricked into installing.
• If you allow your end-users to install any software they want, then your risk of security exploitation is high.
• Even if you are fully patched and the software you run contains zero bugs (this is never true), it barely decreases the risk from drive-by downloads.
• Most malware and malicious hackers are criminally motivated and seek monetary gain.
• End-user education is highly overrated and will fail.
• Your firewall, your anti-malware software, and your IDS will fail.

This is hard for many people to accept, but I think we need to start thinking in terms of a office computer being a business tool. It is NOT a general purpose computing device to be used for personal purposes by employees. Harsh? Of course it is, but not as harsh as a trojan deleting essential work information or company secrets sold to the competition.