The next few pages will guide us through a process that will greatly simplify and enhance our security decisions. Having studied the techniques and theories discussed so far in this book, we will now put them to practical use through the following steps:
Identify the ComponentsWhen a decision needs to be made, we must first discover and isolate the various components involved. Doing so will help to ensure that multiple aspects of security are considered. Almost every situation we face consists of several important components bound in some form of relationship. A decision about a router affects all its related WAN connections; a decision about a room affects all the equipment in the room; and a decision about a server affects the software, processes, and users of that server. To see all these components and understand their relationships, it is helpful to write them down in a list such as that shown in Table 6.1:
Identify the Risks and Threats
Each component considered will have some level of risk and some related threats. Just about everything can have a risk or threat associated with it, but the goal is to identify those that have some significance to the organization. We need to consider each component individually and think of it in relation to the risks and threats involved. We will consider both the risks introduced by a component, as well as the risks the environment poses to that component, as illustrated in Table 6.2. Filter Through the RulesOnce we have identified the different components and their risks and threats, we need to consider what each rule says about the matter. Would the decision violate one of the fundamental rules? Can we come up with a solution that is effective and follows all the rules? Below I have listed each rule and a series of sample questions to consider for each security situation.
The Rule of Least PrivilegeWe should be sure that our decision is made in such a way as to limit all parties and devices to the exact amount of access as is required and nothing more.
With the Rule of Least Privilege, it is important to consider access in both directions. Going with the WAN link example, we may consider each question in reverse: Are we allowing only those that require access to access the WAN link? Are we allowing access from entities on the WAN link only to areas that are required? The Rule of ChangeWe should ensure that any changes being made are clear, well thought out, and have been coordinated with all affected parties. There should be a formal change process in most security considerations. Some important questions to think about are:
The Rule of TrustMost situations, will involve some form of trust. Different subjects warrant different levels of trust that may affect our security decisions. Here are some good considerations to keep in mind:
The Rule of the Weakest LinkIn comparison with other security measures, we must always be looking for the weakest link in any new endeavor. Any addition or modification to an environment has the potential of introducing a new vulnerability, risk, or threat. New decisions should reflect the Rule of the Weakest Link and be as secure or more secure than other similar decisions.
The Rule of SeparationFollowing the Rule of Separation, we should look at the issue and determine whether or not we are combining objects or subjects that are better off remaining separate. If our decision has to do with enabling a service, installing a new application, or granting privileges, we should make sure we reflect back on the Rule of Separation to check for inherent weaknesses.
The Rule of the Three-Fold ProcessEvery decision should be thought of in terms of the Rule of the Three-Fold Process. Before implementation has begun, consideration should be given to the tasks that will take place after the project is completed.
The Rule of Preventative ActionWhen relevant, security decisions should focus not only on the specific problem at hand, but also on the source of the security issue. When solving a problem, look beyond the specific instance and contemplate solutions that will help to solve similar situations as well.
The Rule of Immediate and Proper ResponseSecurity decisions that are made in reaction to issues, or that relate to the planning of a reaction, should follow the Rule of Immediate and Proper Response.
Considering ZonesAs we look at a security issue, we must make sure that we create solutions that fall in line with the zoning principles. Most security decisions involve access to some resource by some application, system, or party. Using the Rule of Least Privilege, we must identify exactly what access is required, and using zones, we must isolate the access to protect the resource and other resources. Thinking in zones is, however, a very dynamic process. Having read about zoning in Chapter 5, Developing a Higher Security Mind, and understanding each exposure concept, we should be well-equipped to apply it in many different situations. Here we will walk through a few of the most common concepts:
Layering SecurityAny decision made should be thought of in terms of layers. What if a device fails? What if an attack is successful? What will we do then? It is always good to assume that an individual security measure will fail and make sure that other security measures are in place. It is also wise to assume that blending different forms of security will provide a much tighter defense than a single security layer.
Considering the Overall Level of SecurityFinally, when considering any decision, we must be aware of the security of the surrounding environment, as well as the ultimate security goal of the organization. In accordance with the Rule of the Weakest Link, it will do us little good to make any one item secure when everything around that item is left completely vulnerable. We should avoid focusing so narrowly on the security decision at hand that we lose sight of how it fits with the rest of our security. We should not build a fortress of one system, when the remaining systems are left open, unless this system is of much higher risk or we are planning to build all other systems up to this level as well. The Policy TestA good test of a decision is to think of its outcome in terms of a policy. Would we be comfortable documenting this decision and requiring that the same decision be followed over and over again? Every good security decision should be directly in line with the overall security goals of the organization. We should feel comfortable adding it to our policies and procedures, even if we choose not to. It is important that all security decisions are consistent with previous and future decisions, and we should avoid making too many variations or introducing a weak link. If we are not comfortable making this decision into a permanent policy, we should question the quality of the decision itself. |