When “the tail is wagging the dog”, you know that something has gone wrong. Priorities are not straight, and a part of the system does not understand its role. Providers of offense-oriented security services, such as penetration testing and red team engagements (which I’ve described in previous articles), often make draconian recommendations that, in pursuit of least effort, wind up impacting your ability to do business. When you get these recommendations, you should ask yourself: Is this vendor acting like a partner in my business, or are they content with it being inhibited as a result of their recommendations?
We often review clients’ previous penetration testing reports, to give them advice on moving forward with better testing and security practices. These reports, provided by security vendors of all sizes, often include completely unrealistic advice. On more than one occasion, we have seen reports that recommended that organizations disable a protocol that is critical to many organizations’ ability to connect computers to the network (DHCP) in a misguided attempt to prevent “rogue” devices from connecting. In most organizations, including these specific clients, removing that protocol would have incurred a significant amount of effort, with little gain in security. If the recommendation were blindly followed without planning, it would have caused the network to fail.
As a fun exercise (or late April Fools’ prank), go ask your IT staff right now what the impact of disabling DHCP right now, for “security purposes”, would be. You’ll likely detect some amount of terror in their face. If they have a sense of humor, they may respond with something like: “You’ll be perfectly secure, because within a day, nothing will be able to connect to the network”.
Unrealistic recommendations extend past the technical realm. Many security testing vendors make recommendations that put too much responsibility in the hands of individual users. While users need to be aware of security policies and their importance, most do not have the technical background needed to confidently evaluate the safety of every single email they read, or website they visit.
While techniques for identifying phishing attempts and other attacks are covered in user training, not all hackers and scammers use poor grammar and obvious attempts to convince people to download malicious software. An end-user cannot be expected to be both the first and last line of defense for an organization. Realistic and useful security practices and monitoring must acknowledge and account for the eventual compromise of individuals’ workstations.
Recommendations that are not actionable are essentially useless. After all, extreme recommendations like, “turn it off!” will make most things secure, but not functional. Realistically, good cybersecurity measures will likely inconvenience you, but should not be at the detriment of your ability to operate. You may add steps to the process of logging in. You may have to task IT staff with finding alternatives to practices and software that is found to not be secure. You should never, however, get a recommendation from your security testing provider that prevents you from doing business. Availability is as important as the other basic tenets of security (Confidentiality and Integrity). If it sounds like it’s not actionable, it may be time to get a second opinion from another vendor that has a more realistic approach.
For weekly insights into cybersecurity, please sign up here: