Where Does It End?
In contemplating the question "So where does all this end?" there is good news and bad news. The bad news is that it never ends. We will always need to think about security. We will always need to update, modify, enhance, and grow our practices, technologies, and knowledge. We will always need to have a security staff, train our end-users, and be mindful of the evil, fang-toothed malefactors knocking at our doors.
The good news is that, if we do it right, effectively maintaining security from here until the end of time should be relatively easy and inexpensive. As has been proven time and again, companies that begin with and maintain good security practices can go hackerless for years without placing excessive resources into their security practices. Once the fundamental security concepts are known and practiced, security can be treated (for the most part) as a branch of the normal routine. As time goes on, as technology evolves, and as our ambitions and environments expand, we certainly will have to make updates, take classes, and read new books. We should never, however, need to overhaul our security infrastructure, or perform massive recovery because we were wiped out in a malicious attack.
Sunny Skies Ahead
Before we begin discussing the principles behind the security mind, it is important that we all agree on one major concept: It will never end. No matter how good our security is, it will always need to be maintained and improved. So the question is not, "When does it end?" but rather, "Where does the struggle end?"
Just as it is important to understand that security is an ongoing process, it is equally important to understand that maintaining good security practices does not have to be an ongoing struggle. No doubt about it, securing an organization can be difficult in the beginning. However, the horror stories we hear about companies spending endless amounts of time and effort and still getting hacked are almost all from the same source: companies that do not think with a security mind.
Don't get discouraged while reading the latest magazine article reporting that even the FBI is getting hacked. And don't let the employees, managers, or executives become pessimistic about adopting security practices. It is well within our capabilities to maintain a high level of security and go for long periods of time without being compromised. It is ultimately the organization's choice to struggle or not, to adopt good security practices or bad ones.
Chapter 2. A New Look at Information Security
Security as an Art Form
Security is a very different world than that of networking, systems, engineering, and other related technical fields. Let's consider a few of its differences:
Ever wonder why security systems and services seem to cost so much more than other services? Ever wonder why it's hard to find and retain good security engineers? Let's take a moment to explore and understand why this practice is so different and why it must be handled in a manner quite different from how we handle other technical issues.
The Youngest of the IT Practices
Information security, as a widely recognized practice, has only been known to the public for about a decade. Earlier than this, one of our first indications of how completely vulnerable our systems were came in 1988, when a little program (less than 100 lines of code) that we now refer to as the Morris Worm was released on the Internet. Taking advantage of simple security holes in specific UNIX platforms, the worm was successfully able to attack over 50,000 systems across the U.S., causing millions of dollars in damages. Here I use the term "successfully" very loosely because it is commonly believed it was not the intention of the worm's creator to do any harm at all. Regardless, it was considered the disaster of the time and it opened our eyes to the incredible insecurity of our systems, networks, and information.
Of course, this was not the first information security incident to occur, but it was certainly the one that caught the attention of the media and the world. Still, it was not until the mid-1990s that the average company considered information security as something of any value to them. And, it was still not until the late 1990s that the marketplace for information security began to explode with hundreds of organizations making new security gadgets and just about every consulting organization rushing to market their new security practices. Today, security is still very much in its youth, and as such, many of its concepts and theories have not stood the test of time nor become commonplace. Approaches to security still vary widely from organization to organization and from practitioner to practitioner. And, as if things were not difficult enough, there is still a lack of security expertise in the world.
Information security is just now reaching the stage where it has sprung legs and is making great leaps forward. All around the world, information security professionals, high-tech companies, and even some government agencies are racing forward in an attempt to keep one second ahead of the hacker community, dragging the security of the common company slowly in their wake.
Still, at any moment of any day, you can sit at your desk with a digital subscriber line (DSL) connection to the Internet and find vulnerable systems around the world within a matter of minutes or hours. Every day, new organizations are implementing one-time security measures without adopting good security practices and are left, unknowingly, with useless toys "protecting" their network. These are signs that security, though making incredible strides, has yet to truly mature beyond the boasting hype of eager vendors and hotshot consulting companies.
The Most Dynamic IT Practice
It can be easily argued that security is one of the most dynamic fields we have ever seen within IT. Several facts indicate that it will remain an extremely fast-paced and dynamic practice for the foreseeable future:
Looking at the extremely dynamic nature of information security tends to send many would-be security practitioners running for the hills. The dynamics of the industry dictate that we cannot simply follow the standard, conventional means that we use to deal with other technologies. An interesting fabrication has developed over the history of technology saying that, "The person who knows the most technical formulas and tricks is the better technologist." While this may be true in some fields, it has little relevance in the world of information security. To know every little trick is quite impossible since there can be hundreds of variations of the same attack, affecting any number of unknown vulnerabilities and every type of system in its own unique way. This makes it quite impossible to keep pace with the world of security by focusing strictly on the technical details. In fact, those individuals and organizations that choose to deal with security by focusing on the details and case-by-case issues most often make themselves quite miserable by creating unending workloads, resulting in a total lack of sleep and weekend time.
To properly assess and apply security in any environment, a global approach must be taken, transcending the millions of detailed security facts at hand. This, for many professionals and organizations, can be quite difficult to assimilate. Because it is impossible to stay secure when all eyes are on the firewall, the intrusion detection system (IDS), or the event viewer, people can be left with a very uncertain feeling about the safety of their information. To keep up with the dynamics of security, a practitioner must grow eyes in the back of his or her head and be able to think of the organization as a whole, not as a series of isolated vulnerabilities and fixes. Dealing with the dynamic nature of security is not for the faint of heart.
And About Those Humans
This may not be the most obvious of considerations, but it is one of the most powerful elements shaping the practice of security worldwide. In the history of IT, the focus has almost always been on human vs. machine. A programmer will sit in the corner and beat his or her head against the monitor for hours while trying to make the computer act in a new and improved way. A network engineer consoles into his or her router for days on end trying to change the way in which the traffic flows between devices. In both of these cases, it is a story of a human pitted against a machine in a battle of wits and determination, a classic struggle between the creative and the logical.
But the world of information security is dramatically different. Sure we have the computers and devices to contend with, but the true obstacle we are attempting to overcome is another living human being. It is no longer a battle of a human's creativity against a machine's predictable logic; it is now an unpredictable battle between two equally creative and dynamic forces: creativity vs. creativity! Where before the machine was the ultimate goal, here the machine functions as an extension to assist in the other creative processes taking place, much like a sword to a Samurai. This is one of the most defining differences between the art of practicing security and the art of nearly any other IT practice.