Security Isn’t Just Avoiding MicrosoftMarch 8, 2008 – 6:48 PM
I’ve had to listen to clients kvetch for hours on end about how Microsoft makes their lives miserable and how everything would be better in a Microsoft-free world. Tony Bove wrote a whole book with that theme, Just Say No to Microsoft, and plenty of blogs have taken up the cry.
It’s time for all the people who have entertained this fantasy to stop deluding themselves.
How would life without Microsoft be different? It wouldn’t be in any meaningful way for those in charge of network security; there would just be a different vendor peddling the dominant operating system.
Networks in a world in which Apple had won the operating systems wars would still be insecure. What’s that, you say? The Macintosh has had far fewer bugs reported and patched than Windows? That’s true, but it’s a consequence of the minuscule market penetration of Mac OS. If the Mac had enjoyed a market share of upwards of 80% for the past couple of decades, it would have been the focus of every hacker and script kiddie on the planet. And you might be lamenting the minuscule market share of that scrappy operating system vendor in Redmond, Wash.
If you put computers on a network and open that network to the outside world via the Internet, you’re going to have security problems, regardless of whether you’re running Windows, Mac OS, Linux or an operating system you created in your spare time. By all means, we need to run the safest operating system we can, fortify our networks and police the whole thing. But once we’ve done all that, we’re left with one unalterable fact: Users will still make errors galore. Training can help. But for a bit of perspective, consider commercial air transportation. The hardware is about as safe as possible, and pilots are trained as thoroughly as surgeons. But accidents happen, and they’re usually the result of pilot error.
User errors have long been the bane of security. In a sense, true security requires a paranoia honed to a fanatical edge, but sometimes even fanaticism isn’t enough. After all, no one has surpassed the Nazis when it comes to fanatical paranoia. Yet even the well-trained German soldiers of World War II broke a fundamental rule of cryptography and reused the same keys. That mistake might be the only reason this article wasn’t written in German.
So, what needs to be done? You must require users to attend formal information security training and awareness programs. No one should be left out. Set minimum security training and awareness requirements that all workers must meet — even janitors and others who have no system access. Step up the requirements for those who have access to corporate information systems (most workers would fall into this category), and establish exhaustive requirements for employees in computer-related positions of trust, such as security staff and systems programmers.
Your first step, if you haven’t already done it, is to write down your information security policies. You can’t design an effective training and awareness program without them.
Once you’ve set up effective training, you have to maintain it. Keep it consistent, and make sure users are up to date. It won’t be easy. In fact, it’s a lot easier to just blame Microsoft. But don’t feel that all that kvetching didn’t help. It took lots of people kvetching loudly for many years for Microsoft to realize that it had to do more, and it has made great strides since 2002, when it announced its Trustworthy Computing initiative.
Now it’s your turn to do something similar within your own organization.