Chapter 3. The Four Virtues of Security
Introduction to the Virtues
Despite what seems to be the popular opinion, security does not have to be a giant burden on the finances or resources of an organization, nor does it have to torment the lives of those charged with maintaining good security practices. Most of what is considered to be "troublesome" in the area of information security can actually be handled by following the simple practices outlined in this book. The simple tricks to security are to be intelligent, thorough, and consistent while maintaining the proper focus. This is not terribly difficult to accomplish, but it does require a new way of thinking about things.
Focusing on the Virtues
Good security is all about proper focus. An incredible amount of money and energy is spent every day implementing individual security measures without ever considering how such measures fit into the overall security profile of an organization. It is imperative that organizations not fall into the trap of focusing on the flashing lights and shiny covers of the newest and most highly advertised security products. We must focus on the concepts that go beyond the technology.
Security in most environments, even large ones, can be successfully implemented and managed when the following guidelines are adopted. I call these guidelines the four virtues of security. To ensure the immediate and long-term security of an organization, the four virtues must be included in every aspect of an organization's IT practices.
The four essential virtues of information security are:
At first glance, these four virtues may seem simple and obvious, and at the risk of dispelling any great mystique surrounding this book, I will certainly agree; they are simple. There are enough complicated aspects of security to deal with later, but the virtues constitute the core foundation of all good security practices and must remain simple for us and our communities to contemplate, understand, and exercise. Be careful, though. This level of simplicity should not fool anyone into assuming that an environment is already in line with these ideas, or that these virtues are so simple that you can simply skip ahead to the more technical stuff. The virtues are an essential aspect of any good security practice and they have been included for a very important reason. Now, let's explore these concepts as they relate to the security mind.
The Virtue of Daily Consideration
Making security a daily consideration solves the vast majority of security issues an organization will face. All the talent and wiz-bang technical gadgets in the world will be of little use if they are not used in conjunction with this primary virtue. As we continue through this book, I will delve into several vital concepts for building and maintaining a secure environment. These concepts will prove to be of great value, but only if they are remembered, considered, and practiced on a daily basis.
Within the Virtue of Daily Consideration is the chance for organizations to break away from the fatal patterns that are so easy to fall into. Many organizations avoid addressing security issues because they consider security to be impossible to maintain, requiring an unending cash flow while sucking up valuable time and resources. This negative image of security, however, has only been manifested through numerous organizations that have embraced a "reactive philosophy of security." We can ensure that an organization does not fall into such a trap by promoting a proactive security posture that solves the most common security issues automatically and without effort.
The Seven Steps of Doom
In my experience as a security consultant, the organizations with the most security issues are those that have not followed this virtue. Most of them are locked in a circular bind that drains money and resources while producing no results. Look at almost any company that has sunk large budgets into their security and yet are still vulnerable to attack, and this pattern will appear:
This four-step cycle is then followed by a three-step cycle:
How simple it all seems, and how simple it all really is. This fatal seven-step process that organizations tend to manifest creates an unending cycle of lost time, lost money, and lost sleep. This is the origin of phrases like the following: "Security is too expensive" and "Security is unachievable." This is a pattern that must be avoided at all costs. Lucky for us, we can easily avoid this vicious circle by simply adopting the proper focus and giving security its daily consideration.
The Three Steps to Success
If we do anything in security—if we could have only one goal to set for our organization that will have the most profound impact—we must simply break away from the seven-step cycle. Avoiding this infinite trap can be accomplished by slightly modifying the first three steps:
In other words, we can avoid the vast majority of security issues that plague the average organization by making security a daily consideration. Understand that this simple three-step process will take a relatively small amount of time and could prevent most of the attacks that have affected organizations all over the world. To practice these three steps, we simply need to train our minds to think about security at all times. We must maintain a security focus.
Considering Security in Everything
Most security issues are not normally visible or apparent until they are exploited. This is one of those things that keeps security professionals constantly on their toes. The most devastating security vulnerabilities are the ones that have no obvious relationship to security at all. When we place a new Internet connection into the network, everyone is jumping and screaming about the security issues. But when a new device is installed with a tunneling capability that bypasses all security, no one thinks twice. The deadliest vulnerabilities are those that don't raise a flag until an attack.
Today, security must be considered in everything and at every moment. Simple objects added to or removed from a network can serve to bypass all the security that has been put in place. Temporarily attaching a modem to a router can bypass hundreds of thousands of dollars of perimeter security devices. We must gain control of our environment by programming this primary security virtue into our minds and the minds of everyone around us.
Practicing This Virtue
The Virtue of Daily Consideration is our only hope of building and maintaining a secure environment. Throughout the rest of this book, I will continue to describe how to make security a daily consideration within an organization, and how to use and reuse simple concepts that will keep an environment safe. For now, here are some simple steps to make security a daily consideration: