Rule of the Three-Fold Process

graphics/rules6_icon.gif

Security is an exciting field to work in and many organizations have employees eagerly lined up to volunteer for their new security initiatives. The tendency, however, is to rush to market to purchase the next great firewall and a host of other security devices and then spend a month getting the devices to work, tweaking them, tuning them, playing around, and then sitting back and enjoying the security of these new-found toys. Unfortunately, it is easy to get over-excited only about the implementation of security, after which the magic tends to die. Think back and try to recall the last time you heard someone say, "I just can't wait until we get to apply a new signature and perform administrative tasks on our IDS."

Table 4.3. Basic scoring system for Isolating Services

Consideration

 

0 Points

1 Point

2 Points

3 Points

What would be the cost if this service stopped running?

 

No cost

Low cost

Medium cost

High cost

What would be the cost if the data related to this service was compromised or corrupted?

 

No cost

Low cost

Medium cost

High cost

What would be the cost of isolating this service?

 

High cost

Medium cost

Low cost

No cost

How complicated is the application running this service?

 

Simple

Complex/Unknown

Very complex

-

Was this service developed to work with the other services in question?

 

Yes

-

No

-

How many vulnerabilities have been discovered for this service, or how many patches were released in the past year?

 

0

>1

>3

>5

Total Score

Results

A score of 0 4

May indicate a situation where it can be shared with other services of an equal score.

A score of 5 or more

May indicate a situation where isolating the service from others is best.

It is vital for every organization to understand that security does not stop with implementation. Thousands of security systems around the world are compromised because the process stopped after implementation. According to the Rule of the Three-Fold Process, all security measures must be thought of as a three-fold process, including implementation, monitoring, and maintenance:

  • Implementation The first task is that of design and implementation. This is where we perform our analysis, design a solution, purchase the tools, build it, test it, and cut it over to production. By far, the majority of security consultants and security staff I have interviewed for projects think only to this point and no further.

  • Monitoring This second task of security is just as important as implementation. There is no such thing as fully automated security; all countermeasures require some human intervention. An implemented security device is like a locked room; you may have been sold a big door and a loud alarm, but when the alarm goes off and no one is there to hear it, does it make a sound? No.

    Monitoring is a key to success in all security solutions. Almost all security devices, firewalls, IDSs, authentication engines, and OS lockdown tools have two jobs to do: they stop patterns they have been programmed to recognize and they report activities that may be of interest. Since a security device can only be programmed with so many automated patterns to watch for, it is vital that a human with active intelligence be present and alert to catch all the things a simple logic firewall cannot. Security requires thinking, not just computing.

    It is far too often that I walk into a client to perform an audit and find that they have absolutely no logging enabled on their security devices. I have seen numerous clients with passive IDSs (the only purpose of these systems is to log suspicious activity), and yet there is no one assigned to review the logs or monitor the activities. It is not difficult to understand that such systems are literally expensive paperweights, serving no purpose but to take up space. Such systems are usually sold directly by vendors who claim, "It is easy to use and practically runs itself." Just remember that your car runs itself, but someone still has to be there to drive it!

  • Maintenance On average, any security devices left without updates for an extended period of time will fail to recognize or catch new attacks, and will themselves become vulnerable. "Code Red," for example, infested many firewalls and security devices that had unpatched Web services enabled. It is important to understand that security is only good on its own for a very short period of time. Plan that with any implementation, you will need to spend a small amount of time each week maintaining the systems. You will need to do this throughout the entire lifetime of any device.

Ever wonder in amazement why you buy a cool new security tool for $5,000, only to find out that the maintenance to support it is $5,001 every year? Yes, it's a crime, I know. But just like buying a car, it is important to be careful of the hidden costs. Vendors know that a security product without updates will be useless in a year. Be sure to subscribe to maintenance and consider these costs up front.

Practicing This Rule

This rule ties in directly with the virtue of daily consideration. From the moment we secure anything within our environment, we could start a timer, and every second after, the object will become less and less secure. Thus, it is vital to make the Rule of the Three-Fold Process part of our daily lives for every technology we work with. Here are some guidelines:

  • Consider the Rule of the Three-Fold Process from the beginning Before any implementation occurs, take into consideration the requirements for monitoring and maintaining the devices. Budget this into the price up-front and be sure to reserve resources for these processes. Consider contracts for updates to your security devices as a "must," and include the cost before making any purchasing decision. This is especially true for firewalls, IDSs, virus scanners, and host-based security mechanisms.

  • Be sure logging and maintenance controls are understood If your security devices are installed by consultants or other parties, make sure you fully understand the system and how to monitor and maintain it before they leave the premises.

  • Keep up-to-date Make it a point to check for updates often and review the log files at least once a day. Always remember that any device left unmonitored and any device that is not properly maintained will eventually be compromised. Include status reports for all security devices and applications in your regular meetings. Status reports should point out new updates and new vulnerabilities, as well as suspicious log entries.



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net