Chapter 3. The Four Virtues of Security

Chapter 3. The Four Virtues of Security

graphics/ch03.gif

Introduction to the Virtues

Despite what seems to be the popular opinion, security does not have to be a giant burden on the finances or resources of an organization, nor does it have to torment the lives of those charged with maintaining good security practices. Most of what is considered to be "troublesome" in the area of information security can actually be handled by following the simple practices outlined in this book. The simple tricks to security are to be intelligent, thorough, and consistent while maintaining the proper focus. This is not terribly difficult to accomplish, but it does require a new way of thinking about things.

Focusing on the Virtues

Good security is all about proper focus. An incredible amount of money and energy is spent every day implementing individual security measures without ever considering how such measures fit into the overall security profile of an organization. It is imperative that organizations not fall into the trap of focusing on the flashing lights and shiny covers of the newest and most highly advertised security products. We must focus on the concepts that go beyond the technology.

Security in most environments, even large ones, can be successfully implemented and managed when the following guidelines are adopted. I call these guidelines the four virtues of security. To ensure the immediate and long-term security of an organization, the four virtues must be included in every aspect of an organization's IT practices.

graphics/03fig01a.gif

The four essential virtues of information security are:

  • Virtue I: Daily Consideration— Security MUST be a daily consideration in every area.

  • Virtue II: Community Effort— Security MUST be a community effort.

  • Virtue III: Higher Focus— Security practices MUST maintain a generalized focus.

  • Virtue IV: Education— Security practices MUST include some measure of training for everyone.

At first glance, these four virtues may seem simple and obvious, and at the risk of dispelling any great mystique surrounding this book, I will certainly agree; they are simple. There are enough complicated aspects of security to deal with later, but the virtues constitute the core foundation of all good security practices and must remain simple for us and our communities to contemplate, understand, and exercise. Be careful, though. This level of simplicity should not fool anyone into assuming that an environment is already in line with these ideas, or that these virtues are so simple that you can simply skip ahead to the more technical stuff. The virtues are an essential aspect of any good security practice and they have been included for a very important reason. Now, let's explore these concepts as they relate to the security mind.

The Virtue of Daily Consideration

graphics/virtue1_icon.gif

Making security a daily consideration solves the vast majority of security issues an organization will face. All the talent and wiz-bang technical gadgets in the world will be of little use if they are not used in conjunction with this primary virtue. As we continue through this book, I will delve into several vital concepts for building and maintaining a secure environment. These concepts will prove to be of great value, but only if they are remembered, considered, and practiced on a daily basis.

Within the Virtue of Daily Consideration is the chance for organizations to break away from the fatal patterns that are so easy to fall into. Many organizations avoid addressing security issues because they consider security to be impossible to maintain, requiring an unending cash flow while sucking up valuable time and resources. This negative image of security, however, has only been manifested through numerous organizations that have embraced a "reactive philosophy of security." We can ensure that an organization does not fall into such a trap by promoting a proactive security posture that solves the most common security issues automatically and without effort.

The Seven Steps of Doom

In my experience as a security consultant, the organizations with the most security issues are those that have not followed this virtue. Most of them are locked in a circular bind that drains money and resources while producing no results. Look at almost any company that has sunk large budgets into their security and yet are still vulnerable to attack, and this pattern will appear:

Step 1. Do something without thinking about security.

Step 2. Get hacked.

Step 3. Discover that what was done in Step 1 introduced a security flaw that allowed Step 2 to happen.

Step 4. Secure the organization against the specific attack in Step 2.

This four-step cycle is then followed by a three-step cycle:

Step 5. Wait.

Step 6. Get hacked again.

Step 7. Find out that while waiting in Step 5, another new hack was developed relating to what was done in Step 1.

graphics/03fig01_icon.gif

How simple it all seems, and how simple it all really is. This fatal seven-step process that organizations tend to manifest creates an unending cycle of lost time, lost money, and lost sleep. This is the origin of phrases like the following: "Security is too expensive" and "Security is unachievable." This is a pattern that must be avoided at all costs. Lucky for us, we can easily avoid this vicious circle by simply adopting the proper focus and giving security its daily consideration.

The Three Steps to Success

If we do anything in security—if we could have only one goal to set for our organization that will have the most profound impact—we must simply break away from the seven-step cycle. Avoiding this infinite trap can be accomplished by slightly modifying the first three steps:

Step 1. Think about security.

Step 2. Do something (while still thinking about security).

Step 3. Continue to think about security.

In other words, we can avoid the vast majority of security issues that plague the average organization by making security a daily consideration. Understand that this simple three-step process will take a relatively small amount of time and could prevent most of the attacks that have affected organizations all over the world. To practice these three steps, we simply need to train our minds to think about security at all times. We must maintain a security focus.

Considering Security in Everything

Most security issues are not normally visible or apparent until they are exploited. This is one of those things that keeps security professionals constantly on their toes. The most devastating security vulnerabilities are the ones that have no obvious relationship to security at all. When we place a new Internet connection into the network, everyone is jumping and screaming about the security issues. But when a new device is installed with a tunneling capability that bypasses all security, no one thinks twice. The deadliest vulnerabilities are those that don't raise a flag until an attack.

Today, security must be considered in everything and at every moment. Simple objects added to or removed from a network can serve to bypass all the security that has been put in place. Temporarily attaching a modem to a router can bypass hundreds of thousands of dollars of perimeter security devices. We must gain control of our environment by programming this primary security virtue into our minds and the minds of everyone around us.

Practicing This Virtue

The Virtue of Daily Consideration is our only hope of building and maintaining a secure environment. Throughout the rest of this book, I will continue to describe how to make security a daily consideration within an organization, and how to use and reuse simple concepts that will keep an environment safe. For now, here are some simple steps to make security a daily consideration:

  • Make security a continual thought— As we move forward through this book, visualize each concept as it applies in your daily environment. Think of everything your organization does and make every technical decision with the concept of security in mind. Constantly ask the question, "Could this affect the security of my organization?"

  • Encourage others to be continually mindful of security— Spread the concept of security to the rest of the organization. Start including the word "security" in everything. Include security references on the intranet home page; have a security "thought of the day" in the weekly employee newsletter. You can even go so far as to tape little security reminder signs in places where people look. For security to be a daily consideration, the word must be at the tip of the brain at all times, even if it is simply to laugh at the little security sign that someone hangs in the restroom.

  • Formally include security in all new projects— Add a small addendum called "Security Considerations" to any new project, proposal, or service involving technology in the environment. Those people introducing the concept, as well as those considering it or reviewing it, should be required to discuss and document any potential security side effects. If there are absolutely no security impacts, these same individuals must document this fact to indicate that they have taken security into consideration.

  • Formally include security in all new implementations— Make it a requirement that, before any new equipment, application, service, or operating system is attached to devices and networks, it must first be approved by someone or go through some formal approval process. This approval process can be extremely fast and easy, but it must include a quick check on the Internet for security issues. You can read more on this in the Rule of Change section in the next chapter.