Effective security isn't easy

Last week, the curmudgeon in me had a bad day. After reading about new exploit after new exploit while people keep recommending the same old security solutions, I lost it.

See, I've been doing computer security for 20 years now. And believe it or not, it's not rocket science. Nor is it impossible. It only takes focus and commitment.

Here are the most effective security solutions you can implement, in order of effectiveness:

Do not allow end-users to run or install unauthorized software programs. I don't care how you do it, just accomplish it. Your resistance to this single recommendation is the reason why you have to do everything else.

Don't put unnecessary software on the authorized software list. This means Flash, Real Player, and iTunes all go.

Implement deny-by-default policy everywhere you can. Don't just block 20 file attachment types at the network perimeter; block them all, and only allow a few.

Don't allow your end-user to be logged in as Administrator or root. If your application software doesn't support it, get new applications, or run them in a desktop VM.

Automate comprehensive patching. Not just the OS, but for all software.

Convert all inbound e-mail to plaintext by default.

Enforce long passwords (15 characters or more). Forget complexity: Go long and throw complexity out the door. Or go two-factor.

Encrypt all confidential data by default.

Spend less money on new security software and more money on reviewing the basics. Do you have a list of every file share in your company, and who has what access? What are the permissions on all host- and network-based resources? Is the practice of least privilege followed? Are non-needed services turned off?

Lastly, hack and audit your own network on a regular basis.

I'm sure many of my readers will see much of this advice as impractical, especially the first recommendation. If you see the first recommendation as unworkable in a real company, if you think end-users wouldn't stand for it, if you think management wouldn't stand for it -- you're wrong.

There are many companies -- small and large, five-person businesses and Fortune 100 conglomerates -- that follow these rules. And they live without a world of malware and malicious hackers. When I visit them, they tell me that it's been years since a significant malicious event happened to their environments. Each of the security managers could tell you that they felt the same way as you do now when they started tightening down their environments -- their management teams, and even IT teams, rebelled when the new, seemingly draconian measures were suggested. The new recommendations were fought and sabotaged.

But the real security leaders prevailed. New rules were put in place, and employees were retrained. Company-authorized images were deployed and mandated. Employees trying to circumvent company policy or installing unauthorized software were fired. Sometimes even the IT security guys got fired. The rules apply to everyone.

And each company implementing the "impossible" recommendation is now more secure and spends less on security. Standardized, controlled images mean fewer worries, fewer problems, and fewer breakdowns. These companies don't worry significantly about hackers, malware, spyware, or phishing attacks. While everyone is being attacked by the latest popular worm, they are reading about it as unexciting news.

Each of these security-empowered companies was once just like your company. Each felt that the tough security measures listed above were impractical. If you asked their employees whether they're happy they can't install just any software program on their system, most would say no. But ask whether they want to go back to the old way -- security protection that didn't work -- and you won't get a single taker.

Your company will eventually do what I suggest above. All that matters is when it will happen and whether you'll be a part of the process or a roadblock to security success.