Rule of Preventative Action (Proactive Security)

The Rule of Preventative Action is: Security can only be successful if it is accomplished through a proactive approach. This is another vital separator between those organizations that have had no major security issues and those that are continually plagued with hackers and "mysteriously" malfunctioning systems.

We, as humans, have a strong tendency to lean toward a reactive response in most situations. Often, we consider proactive measures to be quite time-consuming and distracting from our real work. Somehow, patching the roof seems like so much more work when it is not raining outside. Likewise, checking for new security patches seems quite wasteful until our critical email server is compromised from a well-known exploit.

It is important to recognize that resistance to proactive measures comes from several sources, including users and management. In many organizations, adopting a proactive response to security is met with the following responses:

• Management resists proactive measures since the results of a response cannot be easily seen or weighed. How can there be justification without any visible proof of effectiveness?

• The user community tends to treat proactive measures with great skepticism, often considering them over cautious and too much of a burden. Why should they change their ways when there is no proof that it makes a difference?

The main social dilemma here is that placing added security controls where there appears to be no security issues is scrutinized, while the reactive response of kicking a hacker out of a network is considered a glorious triumph. To be a good security professional, and to overcome many obstacles of security, we must always be proactive, despite our human programming. Without taking proactive measures, an organization has little hope of remaining secure.

Practicing This Rule

To apply this rule and maintain the security of an infrastructure, proactive security measures must become the focus. In accordance with the virtues, security must be considered in every decision. Before an action is taken, security implications must be accounted for. It should be a daily routine for an organization to check for new vulnerabilities and exploits, apply patches, and otherwise participate in the security community. Here are some good practices to start with:

• Keep aware of current security issues Make a list of two or three good security maintenance sites and visit them on a scheduled basis to stay aware of new security vulnerabilities and measures. (Some suggested resources are included in Appendix A, Tips on Keeping Up-to-Date.)

• Perform regular tests on security devices Try to find security holes before a hacker does. Regularly run vulnerability scanners and other tools to search for vulnerabilities and weaknesses.

• Don't stop with just the common issues Practice making security a consideration in everything and find vulnerabilities before they happen.

• Maintain a strong three-fold process policy:

  • Make a list of operating systems and critical applications and check for security patches regularly, at least twice a week. Apply every applicable security patch that can be safely applied (see the Rule of Change).

  • Update antivirus software every time a new definition is available.