The Virtue of Higher Focus | Inside the Security Mind: Making the Tough Decisions

One major problem with how information security is handled today is that organizations are too focused on specific details. We apply a specific patch to deal with a specific problem and then wait a week for the next version of the same problem to hit again. In the world of information security, there are thousands of vulnerabilities exploitable by tens of thousands of attacks with virtually millions of possible permutations. Placing too much focus on the exact details of a specific vulnerability, a specific attack, or an isolated security issue will only serve to distract us from taking the proper actions and developing the proper solutions. In most cases, good security cannot be practiced if one focuses on details and loses sight of the bigger picture. Security is too dynamic, and requires higher methods of thinking.

It is important when practicing security to be aware of the underlying concepts concerning the methods of attack and defense, vulnerabilities, and countermeasures. The specific details, though interesting to study, often have minimal influence in how the situation should really be managed. The ultimate guiding light in our security practices must be to adhere to the Virtue of Higher Focus, to remain focused on the higher principles of information security, which are derived from a strong understanding of the subject matter. Following good higher principles, like those discussed here, is the only way an organization can adequately maintain security in all places, at all times, and in all situations. Details of vulnerabilities should be noted and discussed, but solutions should always be driven from a higher understanding and goals.

To clarify a bit, higher practices are security practices that guide us through the details of security issues by maintaining a focus on the bigger picture. The best security solutions can easily become confused and rendered ineffective if too much focus goes into the details. Good security practices can even seem like bad practices if the higher purpose is not obvious. If we were to look too closely at the individual details of any good security policy, we could always find little exceptions that seem like harmless violations of modifications. It is dangerously easy to lose track of the grander picture and open holes in our security when we allow our senses to be bombarded with millions of little details. This greatly amplifies the need to have standard written policies that are focused on the overall good and do not allow for exceptions unless through a formal change management process.

Avoiding Details with the Townsfolk

When my sister and I were growing up, we would always barrage our parents with the famous question "Why?" To this, we would often receive a quick reply of, "Because I said so." Sure, a few times it may have been just because our parents did not know the answer, but in general, it was because the answer was something that we would not have understood or easily accepted. If they had answered our initial "Why?" you know that we would have had another more persistent "Why?" to follow it. And so the story would go unless we were given what we wanted.

The same concept applies to security practices. As we venture forth and discuss concepts of security and higher practices to end-users, administrators, and managers, they will begin to question "Why?" Even the most educated people are, in a way, similar to children. When a person desires something and is focused on getting what he or she desires, polices and procedures simply become obstacles to overcome. If what someone wants violates a general security practice, an educated person can always find arguments and justifications to make it seem okay to make the exception. Or, if they cannot find the justifications needed, they will sometimes argue that the security practice itself was bad. For lack of a better word, we will call this "innocence": focusing on a specific goal, unaware of the larger picture. It is quite easy and very common to make bad security decisions in the face of such "innocence."

Since security decisions must be based on the core principles of information security, it stands to reason that no amount of "detail arguing" should change our stance. It will be all too easy to open up that little hole that allows for a hacker to penetrate our defenses. In general, it is best to avoid such arguments when possible and defer to a written policy. If a debate over a security control has sound enough reasoning, then it should warrant changing the written policy itself. As a rule, it is important to avoid making individual exceptions to security rules.

Higher Focus Security Measures

The Virtue of Higher Focus should be adopted when implementing security measures within an organization. No security professional, tool, or policy could possibly account for millions of variations of attacks without adopting a higher focus. A properly configured firewall, for example, is only useful because it does not try to understand and defend against all forms of attacks. It is effective because it allows a handful of screened activities to take place, and then denies everything else. This "denies everything else" feature is how the firewall transcends the millions of possible attacks through the Rule of Least Privilege (discussed in the next chapter). Such higher focus should be included in as many implementations as possible within an organization.

Consider a basic automobile alarm system. There are hundreds of ways a thief can break into a car, including breaking the window, jimmying the door, cutting a hole in the roof, etc. The average car alarm, however, transcends such details by implementing higher focus mechanisms. Some, for example, say that if the door is unlocked without using a key, sound the alarm. The creators know that most thieves will end up opening the door while attempting to break in, thus this single rule helps transcend the details. One notch up, the motion alarm theory states that all of these actions cause the car to move. Thus, the motion alarm adopts a higher focus to protect the car from even more forms of attack.

Practicing This Virtue

Maintaining a higher view of security is one of the key elements in maintaining a strong security mind. The virtues and rules have been specifically designed so that higher practices can be used when handling the specific details of security. Here are some suggestions for maintaining a higher focus concerning security:

Learn and share the concepts behind the virtues and rules of security These concepts provide the foundation for almost everything we do in the world of information security. When we are able to view any situation through these concepts, we can then apply good security practices.
Think in terms of the bigger picture Avoid becoming too focused on details. Most security decisions and practices are best made when they do not focus on the individual events at hand, but on the underlying issues to which they are related. When combating the latest worm, of course we will need to apply the immediate patch to stop it from spreading. It is necessary, however, to think beyond the immediate patch and apply security to fix the underlying issue, thereby avoiding similar worms in the future.
Follow the practices of higher security (presented later) These practices will help you think of security issues and deal with them in a more universal manner. Such practices greatly enhance the ability to be proactively secure.
Follow the concept of the written practice (presented later) Put high-level security practices in a written security policy. Refer to this document for any security decision that is getting clouded with too many details and arguments. When needed, find a good political way to point to the policy and say, "Because there are strong underlying reasons enforced by our policy. Before we can do this, we must first be willing to change the policy itself."