Your guide to becoming a true security hero

I’m still amazed how most companies, even when they’ve been breached and their reputation has been ruined, fail to fight malicious hacking correctly. Instead, they erect security defenses that have little to do with the threats they’re hoping to prevent.

Let me give you a common scenario: I frequently consult with large companies that have been the victim of APT (advanced persistent threat) attacks. Usually those attacks occur because one or more users were silently infected by a vulnerability that had a vendor patch. Unpatched Java is to blame in more than 50 percent of these cases, but common culprits include unpatched Adobe Acrobat, Windows, and so on. The other big risk is from users installing an app they shouldn’t, such as a fake antivirus scanner, a fake disk defragger, or a bogus software driver.

[ Verse yourself in 10 crazy security tricks that actually work. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

Those two methods of attack far outstrip others you’ve heard about, including SQL injection, password guessing, worms, and man-in-the middle attacks. But guess what? Companies typically spend their time and money on defenses that ignore the obvious.

Dude, you’re defending it wrong Why? Usually because some “expert” — a vendor with a product to sell or someone on staff who reads too many security journals — is telling them to install advanced firewalls, IDS scanners, multifactor authentication log-ons, and a myriad of other solutions that will not work.

I ask them: Would the millions of dollars you plan to spend on those elaborate solutions have saved you from the attack you just suffered? In most cases, the real answer is a resounding no. But what I usually get is “yes” or “maybe not, but it would make it harder on the attacker.”

This slays me. I ask them to tell me exactly how what they are proposing would have stopped the attackers. Walk me through the steps! The folks proposing other solutions are then forced either to exaggerate the capability of their favorite whizzy defense system — or they begin fumbling in embarrassment.

Yet just about every customer I’ve dealt with keeps wasting money on new pet projects, rather than focusing on the basics that will really work to reduce risk. I keep hoping and waiting.

Straight talk to the rescue Want to be a hero in your environment? Then align your company’s actual threats with defenses that address them. Could anything be simpler?

Here’s what I mean: Suppose your company is most often compromised by client-side, end-user-initiated malware as described above. Sit calmly at the conference table and smile. Quietly observe that even though longer and more complex passwords are a good thing, even though disk encryption is a good thing, even though getting rid of weaker authentication protocols is a good thing — would any of them have stopped the intruder that just hacked your system from succeeding?

Then shout, “No!” and slam your hand on the table.

Tell them that, like relationships, the best indicator of future behavior is past behavior. If you’re being broken into mostly because your systems contain unpatched Java, well, by God, start making sure Java is patched. To extend that example: If 50 percent of your exploitation cases involve unpatched Java, and 49 percent involve users running things they shouldn’t, then every other hacking scenario together makes up a mere 1 percent of attacks.

Say it in slides — five of them, to be exact Management likes pictures. All you need is five PowerPoint slides. On the first, rank the various threats in your organization by their risk level:

1. Unpatched software
2. Inadvertently downloaded malware
3. Everything else

On the second slide, show how one or two defenses will get rid of the No. 1 risk. For example, if you are able to patch Java quickly, you can eliminate 50 percent of all successful hacking attacks against your company. Slide No. 3 should show defenses against the secondmost severe risk. Then, on the fourth slide, list out all the risks that make up the remaining 1 percent. On the last slide, add up the cost of all the defenses that would be required to eliminate that 1 percent risk.

Then ask, “Which defense do you want me to spend money on?”

Too patronizing? Maybe. But take my word for it, subtlety doesn’t work. Whatever you do, don’t worry about whose pet project you may be stepping on. Be a hero. Be like Jack Nicholson in “A Few Good Men”: “You can’t handle the truth!”

I can tell you from firsthand experience that senior management hasn’t been given — or at least hasn’t absorbed — the truth of what really decreases risk. If they had, I wouldn’t have to give my talk so often.

This story, “Your guide to becoming a true security hero,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.