Friday, January 11, 2013

“Experts” who tell you to do dumb things…

…are not experts.

We have just had another round of Internet Explorer and Java bugs announced in the past weeks, followed by another rounds of so-called experts telling everyone to stop using IE and Java.  This is pointless, and counterproductive, and an indication that these “experts” probably have no practical experience in a business environment.

I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to- we run these things because we have to, and the decision is out of our control.  Anyone who doesn’t understand this doesn’t understand enough to give advice.

Yes, there are a lot of people running old, vulnerable crap they don’t need.  They aren’t listening to the InfoSec echo chamber, so don’t bother trying to reach them there (here).

It’s like the folks who dumped Adobe Reader in favor of Foxit for security reasons- now scrambling to patch the latest critical vulnerability in Foxit.  I dumped Adobe Reader in favor of Foxit because I find it faster and lighter, and because of a general loathing of Adobe.  I do have to update it less frequently, but I believe that is largely due to the reduced market share relating to reduced value to attackers- much like OS X has never been “secure”, but historically it hasn’t been as targeted as Windows.

I see two central problems feeding this issue: “dump X” is a compelling headline, reality isn’t; and the ever-present quest for simple solutions to complex problems.

Here’s my advice, which you probably already know:

Dump *anything* you don’t use.  Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it).  That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser- disable the browser plugins. 

If you have to support vulnerable browsers or other apps- restrict their access to only the resources which require them and use other apps or browsers for “normal” use.  Or have limited use systems if you can get away with it.  These introduce pain of their own, but can be done.  Configuring proxy settings in the browsers (or possibly mis-configuring) may be a relatively easy way to control browsers depending on the situation (or it may completely break networking for the systems).

And all the other stuff you already know:

Reduce use of admin-level permissions wherever possible, especially domain admin, and especially where you know you are supporting insecure systems.

Improve authentication- this may mean using all eight characters the crappy app allows, or maybe you can move to two-factor, or something in-between.

Crank up the logging.  Crank it up to eleven on the likely targets, and then (here’s the tricky part) actually look at those logs.

And finally, my comment to those who propose naïve and stupid things like this:

“Shut up. Just shut up.  If this were easy, even you could do it.”