The 3Ps - Passwords, Patching and People
31 December 2013





We all know that there is no 'silver bullet' when it comes to defending against cyber threats. There probably won't be a 'silver bullet', at least for the foreseeable future. However, a model does exist to achieve good security in the form of layered security defenses and best practice. Unfortunately the root cause of many highly publicised breaches tells us that achieving good security and applying security best practice still appears to be beyond the grasp of many global enterprise and organisations.

I cannot help but think that this is because there is a inherent belief within organisations that because they allocate an ever increasing budget to cyber security that this translates into an impenetrable shield against cyber threats. The reality is that the defensive gains are greatly diminishing for every pound or dollar spent as cyber crime matures. There is no doubt that security has rapidly made its way up the corporate agenda from side show to near top of the agenda but if the news headlines are anything to go by, this attention is not translating into good security.

When I speak to people across various industries I always hear one factor mentioned when the topic of security is mentioned. That factor is cost. This reinforces my belief that there is a complete misunderstanding of how to achieve a high level of security. While security products and services are required, it is apparent to me that many of the people I speak to already have the core products and services they need within their organisation. The reason that they face an increasing number of issues is that they don't get the basics right.

Ask a pen tester what issues consistently show up during pen tests and how to remediate them. In most circumstances the remediation will have absolutely nothing to do with purchasing more hardware, products or services. The advice will in the majority of cases relate to applying security best practice with respect to aspects of configuration. Weak passwords and lax patching is always in the list of issues.

Applying the 3Ps can take the security posture of an organisation from bad to good in a short period of time with minimal operational cost and almost certainly zero capital expenditure. So what are these 3Ps I mention that can massively increase the security posture of an organisation of any size. They are, Passwords, Patching and People.

Passwords – It has been widely reported in the IT media that a breach at Adobe lead to the loss of 150 million usernames and passwords. It is of no surprise to any security professional that nearly 2 million of those passwords were actualy; 123456. This was the most common password followed in ranking by; 123456789 then; password. These were passwords of customers so surely sysadmins know better? Any pen tester will tell you, “no they don't”, sysadmins are notorious for using basic passwords and the same passwords across systems. A robust password policy covering length and complexity MUST be applied across an organisation and enforced at a technical level. Where technical controls cannot enforce complexity then strict administrative controls and processes must be in place to ensure the password policy is applied.

Patching – Patching doesn't just mean updates to MS Windows which is the obvious part of a desktop estate to patch because it is relatively easy. Client side software is a primary attack vector and web browsers, media players, media readers, runtime components, and office suites frequently feature in 'most vulnerable applications' lists. Patching MUST be enforced for every application and component across the IT estate. Critical server patching is challenging but that doesn't mean it can be excluded or ignored. Server patching needs to be addressed and regularly planned. In most instances a software vulnerability needs to exist for software exploits to be launched therefore failing to comprehensively patch guarantees only one thing. It guarantees an organisation is already compromised or it will be compromised very soon.

People - Most important of all, if staff are not aware of the threats and the methods used by cyber criminals to social engineer them in order to compromise the data assets of an organisation then all of the security controls in place immediately become less effective. The methods and techniques used by cyber criminals is becoming more sophisticated and malicious activity is becoming more difficult to identify so the people factor has never been so important. (see my November 2013 blog on security awareness)

Getting the 3Ps right provides a solid foundation to build good security into an organisation. Getting the 3Ps wrong is like building a house on sand, it might look good but it will ultimately crack and suffer serious and costly problems.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution