Myth 10: An Expert Recommended This Tweak as Defense in Depth
This myth has two parts. Let us deal with the defense-in-depth aspect first. Defense-in-depth is a reasoned security strategy applying protective measures in multiple places to prevent unacceptable threats. Unfortunately, far too many people today use the term defense in depth to justify security measures that have no other realistic justification. Typically, this happens because of the general belief in myth 3 (more tweaks are better). By making more changes, we show the auditors that we are doing our job, and therefore they chalk us up as having done due diligence.
This shows an incredible immaturity in the field, much like what we saw in western "medicine" in the middle ages. Medics would apply cow dung, ash, honey, beer, and any number of other things, usually in rapid succession, to wounds to show that they were trying everything. Today, doctors (more typically nurses actually) clean the wound, apply a bandage and potentially an antibiotic of some kind, and then let it heal. Less is very often more, and using defense in depth as a way to justify unnecessary and potentially harmful actions is inappropriate.
The first part of this statement is one of our favorites. As a society, we love deferring judgment to experts, because, after all, they are experts and know more than we do. The problem is that the qualification process for becoming an expert is somewhat, shall we say, lacking. We usually point out that the working definition of a security expert is "someone who is quoted in the press." Based on the people we often see quoted, and our interaction with those people, that belief seems justified. It is no longer actions that define an expert, just reputation; and reputation can be assigned. Our friend Mark Minasi has a great statement that we have stolen for use in our own presentations. To be a security consultant, all you have to know is four words: the sky is falling. Having been security consultants and seen what has happened to the general competence level in the field, this statement certainly rings true. There are many, many good security consultants, but there are also many who do not know what they need to and, in some cases, fail to recognize that and then charge exorbitant amounts of money to impart their lack of knowledge and skills on unsuspecting customers.
In this tutorial:
- Protecting Hosts
- Security Configuration Myths
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It, they Not Find It
- Myth 3: The More Tweaks, the Better
- Myth 4: Tweaks Are Necessary
- Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
- Myth 6: "High Security" Is an End Goal for All Environments
- Myth 7: Start Securing Your Environment by Applying a Security Guide
- Myth 8: Security Tweaks Can Fix Physical Security Problems
- Myth 9: Security Tweaks Will Stop Worms/Viruses
- Myth 10: An Expert Recommended This Tweak as Defense in Depth
- Server Security Tweaks
- Software Restriction Policies
- Do Not Store LAN Manager Hash Value
- Anonymous Restrictions
- Security Identifiers (SIDs)
- Password Policies
- SMB Message Signing
- Networking LAN Manager Authentication Level
- TCP Hardening
- Restricted Groups
- Audit Settings
- Client Security Tweaks
- Firewalls
- IPsec Filters
- SafeDllSearchMode
- Local Administrator Account Control
- Limit Local Account Use of Blank Passwords to Console Logon Only
- Logon Events
- Allowed to Format and Eject Removable Media
- The Caution ListChanges You Should Not Make
- Crash on Audit Failure
- Clear Virtual Memory Page File
- Security Configuration Tools