When “the tail is wagging the dog,” you know that something has gone wrong. Priorities are not straight, and a part of the system does not understand its role. Providers of offense-oriented security services, such as penetration testing and red team engagements often make draconian recommendations. In pursuit of least effort, these recommendations often wind up impacting your ability to do business. You should ask yourself: Is this vendor acting like a partner in my business? Or are they making recommendations which could consequently inhibit my organization?
We often review clients’ previous penetration testing reports, to give them advice on moving forward with better testing and security practices. These reports, provided by security vendors of all sizes, often include completely unrealistic advice. On more than one occasion, we have seen recommendations that organizations disable a protocol that is often critical to their ability to connect computers to the network (DHCP). This is really a misguided attempt to prevent “rogue” devices from connecting. In most organizations (including these specific clients), removing that protocol would have incurred a significant amount of effort, with little gain in security. If the recommendation were blindly followed without planning, it would have caused the network to fail.
As a fun exercise (or late April Fools’ prank), ask your IT staff what impact disabling DHCP right now, for “security purposes”, would have on the network. You’ll likely detect some amount of terror in their face. If they have a sense of humor, they may respond with something like: “You’ll be perfectly secure, because within a day, nothing will be able to connect to the network”.
Unrealistic recommendations extend past the technical realm. Many security testing vendors make recommendations that put too much responsibility in the hands of individual users. While users need to be aware of security policies and their importance, most do not have the technical background needed to confidently evaluate the safety of every single email they read, or website they visit.
Such techniques for identifying phishing attempts and other attacks are covered in user training, but are not fool proof. Not all hackers and scammers use poor grammar or obvious attempts to convince users to download malicious software. An end-user cannot be expected to be both the first and last line of defense for an organization. Realistic and useful security practices and monitoring must acknowledge and account for the eventual compromise of individuals’ workstations.
Recommendations that are not actionable are essentially useless. After all, extreme recommendations—like “turn it off!”—will make most things secure, but not functional. Realistically, good cybersecurity measures will likely be an inconvenience, but should not deter your ability to operate. You may add steps to the process of logging in. You may have to task IT staff with finding alternatives to practices and software that are found to be insecure. You should never, however, get a recommendation from your security testing provider that prevents you from doing business. Availability is as important as the any other basic tenets of security (Confidentiality and Integrity).
Bottom line: If it sounds like it’s not actionable, it may be time to get a second opinion from another vendor that has a more realistic approach.