We often review clients’ previous penetration testing reports, to give them advice on moving forward with better testing and security practices. These reports, provided by security vendors of all sizes, often include completely unrealistic advice. On more than one occasion, we have seen reports that recommended that organizations disable a protocol that is critical to many organizations’ ability to connect computers to the network (DHCP) in a misguided attempt to prevent “rogue” devices from connecting. In most organizations, including these specific clients, removing that protocol would have incurred a significant amount of effort, with little gain in security. If the recommendation were blindly followed without planning, it would have caused the network to fail.
As a fun exercise, go ask your IT staff right now what the impact of disabling DHCP right now, for “security purposes”, would be. You’ll likely detect some amount of terror in their face. If they have a sense of humor, they may respond with something like: “You’ll be perfectly secure, because within a day, nothing will be able to connect to the network”.
Unrealistic recommendations extend past the technical realm. Many security testing vendors make recommendations that put too much responsibility in the hands of individual users. While users need to be aware of security policies and their importance, most do not have the technical background needed to confidently evaluate the safety of every single email they read, or website they visit.
While techniques for identifying phishing attempts and other attacks are covered in user training, not all hackers and scammers use poor grammar and obvious attempts to convince people to download malicious software. An end-user cannot be expected to be both the first and last line of defense for an organization. Realistic and useful security practices and monitoring must acknowledge and account for the eventual compromise of individuals’ workstations.
Recommendations that are not actionable are essentially useless. After all, extreme recommendations like, “turn it off!” will make most things secure, but not functional. Realistically, good cybersecurity measures will likely inconvenience you, but should not be at the detriment of your ability to operate. You may add steps to the process of logging in. You may have to task IT staff with finding alternatives to practices and software that is found to not be secure. You should never, however, get a recommendation from your security testing provider that prevents you from doing business. Availability is as important as the other basic tenets of security (Confidentiality and Integrity). If it sounds like it’s not actionable, it may be time to get a second opinion from another vendor that has a more realistic approach.
Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber.