Skip to main content

The two things that actually work in information security and how to deploy them.

I was struck by this tweet by @chrisrollf:
2FA and VPNs  - 2 things that work

Because of the truth of it (and yeah, because we sell two-factor authentication).  IPS/IDS, anti-virus, etc really haven't performed as advertised.  You can see the move to de-perimeterization pushing all those security products, when just implementing two-factor authentication would have been as or more effective.

Thanks to this year's Verizon DBIR, we can see the impact of these two technologies and how to implement them.  Verizon has aggregated their mitigation recommendations and summed the percentage of time where a Critical Security Control should have been applied.

We gathered up all the nuggets of mitigation wisdom from our reviews and tallied up the
percentage of incidents where a CSC control could be applied as the recommended strategy.

(That's a direct quote, btw, the DBIR is saying 'Critical Security Control control'.) 

I have amended the table to include a column on if the control can be supplied by one of the two 'effective security technologies'.

CSC Description % Category Notes
13-7 Two-factor authentication 24% Visibility/Attribution 2FA:  The biggest bang for your security buck.
6-1 Patching web services 24% Quick Win  
11-5 Verify need for Internet-facing
7% Visibility/Attribution Firewall:  You should do this on setup and periodically.  Remember - it's easy to block ports and see what breaks.
13-6 Proxy outbound traffic 7% Visibility/Attribution Firewall:  We've suggested  combining this with 2FA too
6-4 Web application testing 7% Visibility/Attribution  
16-9 User lockout after multiple failed attempts 5% Quick Win 2FA (etc).  All 2FA systems have this feature.
17-13 Block known file transfer sites 5% Advanced Firewall:  Most firewalls offer URL blocking.
5-5 Mail attachment filtering 5% Quick Win Firewall: Most firewalls offer attachment filtering.
11-1 Limiting ports and services 2% Quick Win Firewall - Pretty much the point of VPNs.
13-10 Segregation of networks 2% Configuration/Hygiene Firewall.  Your firewall should be able to create virtual private networks. 
16-8 Password complexity 2% Visibility/Attribution OS - but if you use 2FA in more places, it's better.
3-3 Restrict ability to download software 2% Quick Win Firewall
5-1 Anti-virus 2% Quick Win  
6-8 Vet security process of vendor 2% Configuration/Hygiene Require 2FA for vendor access for control.

I've always been a "work with what you have" and "get the most out of what you have" type of person.  This list screams that.  I also think that companies will need to consider the source.  While the DBIR is a great resource, it is a work in progress and your industry may be under-represented or your company may be different.  And security is a moving target.  The description of "Vet security process of vendor" seems a bit vague.  I suspect that many organizations are now considering deploying some form of "Privileged access management" solution to monitor not only internal account but also vendor accounts.  If so, they should use two-factor auth for their PAM solution (and you should make sure your PAM solution supports RADIUS).

Current rating: 1

Recent Posts







RSS / Atom