Rule of Trust

graphics/rules3_icon.gif

A good security practitioner of the Rule of Trust is one who is a friend to everyone, but really trusts no one. Since saying we don't trust someone or something often has negative overtones, let's be more politically correct and simply say, "Anything can happen."

Sure, Mel has been a faithful employee for 20 years and helps to find orphaned kittens new homes during the winter holidays. This does not mean we should give him the combination to our safe, or let him enter the computer room without signing in with security. The fact is that anything can and will happen. Mel could suffer a breakdown and decide to erase all our customer data. Mel may also be harboring a secret grudge against the manager of Human Resources because the guy hates cats. The truth is, you just never know.

Concept

Understand the full effects before extending trust to anyone or anything, and only trust that which is required (Rule of Least Privilege). Understand that "trust" is an extremely strong word and can have drastic effects on an organization. In security, giving someone or something complete trust means that we are putting a lot of power in their hands. The moment someone is "trusted," he or she has the amazing power to get away with anything. If no one is checking up on him/her, then the rules can't really apply. This is a very dangerous situation.

Security policies should be made with the idea of layered trust. To perform a job function, the company must have some level of trust in each employee. This level of trust, however, should be different based on the individual person and role. In correspondence with the Rule of Least Privilege, it must be reinforced that no one should get access unless that person needs it and can handle it. Feelings of personal trust, friendliness, and lack of suspicion should never affect basic security practices. All individuals and groups should be treated equally according to the Rule of Least Privilege.

While performing security audits, I have noticed that the majority of my clients' employees suffer from an overwhelming sense of trust. Walk into a server room unannounced with a nice suit and most people will trust you and point you to the nearest network jack. Being secure means being suspicious and asking questions. A hacker rarely announces himself/herself or presents a hacker business card. Don't be unfriendly or make any enemies, but at the same time, don't let anyone go unchecked.

We need to be especially careful when trusting our partners, vendors, and any other entity that harbors systems, networks, and physical areas outside of our immediate control. Sure, it may be a giant company with great security, but unless we control who touches their system, and unless we are in direct control of hiring and firing their personnel, we really don't know who we are dealing with. Their best employee could let his/her son use a workstation to do homework and, next thing we know, all the e-commerce servers are hosting the latest version of Quake.

Practicing This Rule

To practice this rule within your organization, simply remember that anyone can be the enemy, even you. This is not intended to incite paranoia, but honestly, the best hackers do not dress in torn-up jeans and wear anti-government slogans on their pizza-stained t-shirts. Humans are very complicated beings with very complex minds; knowing everyone's motives and how they would react in any situation is beyond our capabilities. So always remember:

  • Trust nothing outside of your immediate control Anything that is not in the immediate control of the organization, its policies, and its security mechanisms should be treated with a lesser degree of trust. This includes large vendors, partners, consulting organizations, etc.

  • Look at all the angles before extending trust Before extending trust to anyone or anything, first consider everything to which it has extended trust. Remember, if you trust Company A, and they trust Company B, you are essentially trusting both A and B! (I will discuss in the section on Understanding Relational Security in the next chapter.)

  • Make policies apply beyond all levels of trust To be effective, security policies must apply to everyone, even the people who write them. Trusted individuals and entities should not be allowed to break policy.

  • Maintain an accurate perception When a rule is broken, but it is unknown as to who broke the rule, do not eliminate any possibilities, regardless of trust.

Seven Key Considerations Before Extending Trust to Any Object or Entity
  1. Is this object within your direct control?

  2. Is this object required to conform to your security policies?

  3. Is the security of this object properly maintained and monitored?

  4. Is your organization allowed to monitor and review the object's logs?

  5. Is your organization allowed to perform a vulnerability test on the object and its environment?

  6. Does this object have a history of security issues or failures?

  7. How many other entities have access to this object?



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net