Home > Information Security, Musings > Infosec: Designing for IDGAF

Infosec: Designing for IDGAF

July 20th, 2011

I don’t mean to offend anyone with the implied language of this post, or the image at left. But there’s no more apt way to describe the fundamental concept of this message. Imagine your users being totally, completely honest with you when you talk about the need for security. In a world not colored by political correctness and “business etiquette”, many of them would probably tell you (regarding security): I Don’t Give A F***. Unfortunately, whether they really articulate this or not (likely not), there’s a very solid chance that this is exactly what your general user population is saying to you and your beloved security policies. Gasp! But…but…(sputter)…don’t they read the NEWS?! Don’t they know they’re rapin…errrrr, HACKING EVERBODY OUT HERE!?

Well, we’ve all known for quite some time that, in reality, the hardest job in infosec is changing people’s behavior. When someone sends your users an email with an attached file or link that purports to show them the most incredible dancing bear they have ever seen, or the funniest caption with a cat picture EVAH, guess what happens? Yep. They click. Happily. Facebook? There they are! Downloads? PDF files? Flash games? Yes, yes, and YES. YES! Connecting to wireless ANYWHERE is NO PROBLEM. They want iPads! They want iPhones! They want Droid devices! Their own computers! And this is not going to get better, or go away. What’s my point? Well, it’s opinion time:

Traditional security awareness programs are useless. Give them up. Do it now.

Trying to get people to change how they do things is futile. You’ll convert a few, sure. But most people do not think like us. They will not take 2 extra steps or endure a nagging popup asking “Are you sure?”. In fact, they’ll work HARDER to find a way to circumvent your security than they would have worked just adapting to the security. Why? It’s human nature. So I say we toss this concept of “Educate them, and they’ll come around”. Instead, let’s start doing something we’ve bantered about for years. Let’s build security in, and accommodate the IDGAF mentality.

This means putting EVERYTHING into a “Default Deny” mode. Which means moving to application whitelisting. Some form of NAC. Lockdown of host-based and network-based ports on the firewalls and other access controls. Severe restriction of privileges. Yep, in other words – all that stuff we have discussed for quite a while. If we would just design this way, either in a green field scenario or when updating our environment, we’d be in better shape. How about a VM sandbox for any device people want to use to connect? That doesn’t print locally or access local files? I’d like to think we’ll stop this silly dance of “integrating into the business” at some point and come to the realization that we are fundamentally at odds with everyone else in the business ideologically, as it’s our job to RESTRICT things from happening. But if we design for IDGAF, and build it in so that we control the behaviors from the get-go, we just might reign in the users and their Pandora’s box of wacky, unsafe behavior.

Categories: Information Security, Musings Tags:
  1. July 20th, 2011 at 11:09 | #1

    While I’ve always agreed with this approach, I think it would be worthwhile to do some thinking on how much more expensive it would be. I think IDGAF all comes down to one simple principle: How much are people willing to pay?

    I’d like to illustrate the additional expense IDGAF would represent in three points:

    Licensing fees for additional software (Virtualization, App Whitelisting, additional firewalls for additional segregation, NAC components, etc…)

    Many admins get by in their jobs with minimum skills and knowledge. This is a fact due to the lack of a trained workforce in IT. We have the same problem on the security side. Default allow makes it possible for this class of sysadmin. Make everything default deny, and a large chunk of the workforce will have to step it up, be replaced with more skilled and knowledgeable (and more EXPENSIVE) sysadmins, or the attempt to switch to a more secured environment will be a complete failure, and the business will go back to the insecure model. I’ve personally seen this happen in a LARGE enterprise. They didn’t troubleshoot the segregation/firewalling issues in this case. They just gave up and kept the internal network flat.

    Default Deny will cost a lot more to maintain. The nature of the environment will multiply support needs/requests exponentially. Overnight.

    For this to work, IT will need more staff and more training. Same for Helpdesk. IT will need a larger budget for tools and resources overall. IDGAF is the right thing to do, but it isn’t gonna come cheap.

  2. admin
    July 21st, 2011 at 08:07 | #2

    @Adrian Sanabria
    This is a valid point, I think. Much like the PCI model of pushing costs to the banks, I think organizations should push costs to their tools and OS, applications, etc. Security, by default, needs to be “baked in” to remove the burden from the folks using the stuff. That’s the only true way for security to succeed long-term. We’ll probably pay a little more for it short term, no doubt.

  3. July 21st, 2011 at 14:51 | #3

    @Shack – Hallelujah brutha! Tell it from the rooftops!!!

    @Adrian – You are completely right on costs. And I can prove it – look at the US DOD. They (more or less) operate in a default-deny configuration…at least by policy and mostly by practice. They can’t hire more people (thank you hiring freeze), they can’t pay their people more (thank you gov’t employee wage increase freeze). And look at what it costs, both in real money and in residual organizational size/staffing costs, to build and operate official systems.

    Good read, thank you!

Comments are closed.