You know you’ve reached a point in your career when you get asked to give a talk on how IT has evolved over the past 10-15 years. I guess it’s a polite way of saying that you’ve been around for some time in the industry. Well, I was asked to do a talk on how IT Security has progressed in the past 10-15 years.
It seemed to be a fun topic to research. However, I was surprised and somewhat depressed when I reviewed some of the presentations I had done in those years.
In 2001, I was part of a SANS Institute group that drew up a consensus list called “The Most Common Security Mistakes Made By Individuals.” It was a list of 10 things that contributed to systems being compromised by hackers. The items listed were:
1. Poor password management
2. Leaving your computer on, unattended
3. Opening e-mail attachments from strangers
4. Not installing anti-virus software
5. Laptops on the loose
6. Blabber mounts
7. Plug and Play without protection
8. Not reporting security violations
9. Always behind the times (OS, application patches)
10. Keeping an eye out inside the organization
The purpose of the project was to create a list of 10 actionable items that were root causes of approximately 70-80% of the successful system compromises in 2001. The hope was that if we “fixed” these items, we would reduce the number of successful attacks. This 80-20 defense strategy has been used in a number of initiatives including the present-day Top 20 Critical Controls.
Contributors from the .gov, .com, .edu, .org sectors provided their lists and a consensus list was created from these individual submission. Since there were literally thousands of causes of attacks, it was hoped these 10 would provide organizations with a prioritized list of “where to begin” tasks.
I have to admit that it is déjà vu all over again. I looked at that list and I realized that as an industry, we’ve failed to eliminate any of these items from the list of root causes in 2014. What have we been doing all of these years in our industry?
Take a look at the list and tell me what items your organization has eliminated. I’ve shown this list to students in my SANS Institute classes over the past year and the only one that we might be able to claim was fixed (eliminated) was item 4 (not installing antivirus software). We realized that having antivirus software installed on a machine is ineffective if it’s not run periodically. As far as I can tell, every single one of those mistakes is still a mistake in 2014.
Send your comments to feedback@securitycurrent.com