It’s been utter madness at work for the last couple weeks. I really wish people would understand that security recommendations aren’t the end-all, be-all solutions they are looking for. They are just the absolute minimum that they should be doing, and the minimum is never enough. You need to tailor those solutions to your needs, and you need to add additional layers on top them to cover the things that they miss.
Obviously, there is no such thing as a 100% secure system, but I can guarantee that a system that only meets the minimum of standards ( and most places don’t even do that much ) won’t remain secure for very long. The minimum is what you implement as a stop gap while you try to find the rest of the holes, and ideally patch as soon as you know about them. The thing is, you will never find all the holes, so you need to be vigilant, always looking for new vulnerabilities, and always patching them as you find them. The hope is that you find the vulnerabilities first, before someone malicious does.
If you don’t look for and find them, have no fear, the malicious person will find them for you! This has been proven time and time again. My company has been dealing with the Backoff virus, which should be all the devastating proof that you need that the malicious attackers will find anything and everything that you don’t, given enough time. The thing is, the attackers shouldn’t be finding the holes as often as they do, because the Network & Systems Security IT has the home field advantage. They already know the network, they know the software, and they know the platforms in use. They know how they are wired up, they know how they talk to each other, and they know this at an intimate level as they often laid it out themselves. The attacker has to work and spend effort to discover these things on his own.
It is absolutely madness that a lot of security departments don’t do more active testing and research of their own networks in order to stay on top of the latest threats. If you’re doing your job right, the only time an attacker should breach is in one of two occasions, 1: He discovered the breach and created the first exploit, or 2: he got lucky and got in while you were patching it!
Mark LaDoux 