To the Artists
To the Peer Reviewers
Special Thanks to:
To the Artists
I would like to give a special "thank you" to the primary artist, Steve Chapman, for perfectly capturing the state of information security in cartoon form, and to the Chapman Family for lending him to me. I would also like to thank Joselhyt for all of her artwork and for the countless hours of editing torture required to get the knights in print.
To the Peer Reviewers
I want to thank those who gave their valuable time to review the book. Inside the Security Mind would not be what it is without the great comments provided by Ravi Sakaria, Vivek Shivananda, Warwick Ford, and Seth Leone.
Special Thanks to:
Ravi Sakaria and the AIKO Group for the great insight, ideas, and for the long hours
Grand Master Choa Kok Sui for his wisdom and inspiration
Glenn and Marilag Mendoza for their energy, guidance, and example
Cynthia de Leone for her vast experience
Mario Giudice, Seth Leone, Tim Fiedorowicz, Dave Shoenfelt, Aaron Stanley, Kevin Gillan, and Vivek Shivananda for all their ideas, innovations, and friendship
Mary Franz and Noreen Regina for all of their efforts and patience
George McCafferty for his distractions, distractions, and more distractions. "Great… moat digin'!"
Cyndi, Casey, and Jimmy for all their support
Michael and Sandra Day for making it all possible
And to my wife, Joselhyt for all of this and everything else.
Without these people, none of this would have been possible. Thank you!
Chapter 1. Introduction
The Security Mind
The time has come for a different way of thinking about information security. The continual challenges of dealing with endless hoards of malicious hackers, seas of vulnerabilities, and a seemingly limitless onslaught of exploits have quickly outdated our common point-and-click security methodologies that leave us just as exposed as yesterday. Security is not a one-dimensional process with a canned solution, but rather a relational process that requires us to adjust our everyday thinking and the thinking of those around us. If a security effort is to be successful and durable without draining vast resources from our organization, it has to be addressed not only in technology, but within the mind.
In this book, we are going to explore the essential principles of information security, which to date have been neglected throughout most of the information technology (IT) world. The methodologies contained within are the time-honored practices that the best security gurus from all ages have followed. This is not a book of new technologies, gadgets, or gismos, but rather a guide to the extremely important foundation of information security presented in a new, effective, and easy-to-comprehend way. The concepts and strategies contained within provide the core tools for you to become a security guru. Those who are already seasoned security practitioners will benefit from the unique and effective way in which these essential practices are presented.
You see, life is not as it once was. There was a time in the not-so-distant past when the only problem with technology was the technology itself. All we had to fear from our systems and networks was that a component would burn out, or that the power would not sustain the massive electrical needs of our precious systems. Technology was far too complex to be understood by most people, least of all end-users. Today, however, as our technologies have become stronger, more modular, easier to use, and more reliable, this is no longer the case. Having overcome many of the hurdles through the use of subtle and durable components, formulized development techniques, and simpler user interfaces, the world of IT has exploded in a remarkably short period of time. Yet this new modern age of information has spawned its own unique set of problems; problems that are gaining more and more public recognition every day as their disastrous effects become more obvious and costly to us all.
As time progresses, we are slowly becoming aware of a battle that is taking place within the IT world. An amazing and infinitely complex mixture of tools, intelligence, emotion, and character wages war in a struggle for resources, power, pride, ego, and survival. An entire social structure exists hidden inside a long series of wires and energy waves that surround our planet. We are witness to a new type of battlefield that is composed of infinite dimensions, with attackers and defenders on the inside, outside, above, below, and spread out around the entire world. There are no easily distinguishable battlelines or territories. There are no rules of war or formal guidelines of conduct. Castles are being constructed, armies mobilized, and great sieges are talking place day and night, unregulated by conventions of modern warfare.
These battles are far larger and have far greater implications than most people imagine. They leave a wake of destruction that is quickly obscured by numerous factors. The amount of time, attention, and money spent hacking into and defending our technologies and data could probably fund several starving nations. And here we are, the readers and the writer, with our organizations, phone lines, employees, and Internet connections, right smack in the middle of one of the most interesting wars in recent history. Are we prepared?
We are all at risk. This statement is not meant to instill fear, but simply to properly represent the state of IT in our modern world. Security can no longer be a question. It can no longer be ignored, dismissed, or treated like a thorn in our side. At any given moment, an adequate amount of security is all that stands between our precious data and that wave of relentless and talented intruders striking out at our valuable resources. "Why would anyone hack us?" is no longer a defense, and, "Do we really need to secure ourselves?" is no longer a question. We are all targets. We are all vulnerable. We are all under attack, and without security, the only questions are where and when will we be struck, and just how badly will it hurt.
The Fundamental Flaw
Every hour of every day, IT security somewhere is being compromised. Every hour of every day, a company that believes itself to be secure is being hacked. A firewall is bypassed, a password is cracked, and a system is compromised. Despite the billions of dollars poured into the security industry over the years and the general increase in security awareness across the globe, most organizations are still losing their battles. Why?
There is a fundamental flaw with the approach that most organizations adopt when it comes to practicing information security. Our natural tendency is to treat information security like we do many of our other technical practices; throw a lot of money, a handful of technologies, and a lineup of gurus in for a few weeks and then wait for an ending whistle to blow and a nice pie chart to print out. Unfortunately, this is not the way security works.
Achieving Modern Security
Keeping an organization, its information, and its services secure is not simply a matter of money and technical know-how. Knowing how to configure a firewall and a UNIX Web server is NOT security. These, of course, are valuable activities to perform in the process of becoming secure, but they mean nothing if we do not first have the capacity to "think" in terms of security. To be secure, we must grasp the reasoning, philosophy, and logic that exist behind all successful security efforts. It is through this, and only through this, that security can be successfully practiced.
Security is an extremely unique field to study. It is composed of an infinite number of variables, any combination of which could make or break our networks, systems, devices, and organizations. Few technical practices can match the dynamic demands found in information security. This fact can often give one the impression that security is only achievable by experts in the field. We have all heard horror stories about companies with vast security budgets and capabilities that are compromised on a daily basis despite their efforts. Stories like these make us question not only our own security practices, but also whether or not security is even possible to achieve. Why should we go through all the pains of implementing security when even the giants cannot keep hackers from breaking down their front doors?
Security, despite its highly dynamic nature and a plethora of dramatic bad press, IS possible to achieve. It does not require an enormous amount of resources or headaches for an organization to become and remain secure. It is indeed possible to build a secure environment, whether starting from scratch or contending with legacy security issues. It simply requires that focus and attention be placed on the right areas at the correct time, and with the proper thoughts and actions to back them up.
Security should be thought of as an art; it cannot be accomplished through the old "tools and techies" model. An organization should not believe itself to be secure simply because it spends millions on security devices every year. The fact is that having an infinite budget and a large variety of security resources can often be more of a detriment than a benefit in many organizations. Organizations with vast resources at their command are very likely to try to solve security problems by implementing new security toys. I use the word "toy" because a security device, no matter how expensive or complex, is nothing more than a toy if it does not function within a greater security framework. Security cannot be handled exclusively through expensive equipment, as many of us have been led to believe. Security is not a technology; it is a thought process and a methodology. Security within our technologies is nothing until security is within our minds.
Security is achievable, and we can all become secure. Yes, it will require technical talent. Yes, it will require security tools. But to become secure, we must first understand security itself, the essential components that make it what it is, and then use this knowledge to put the proper tools and talents in place. This is how we can achieve security in the modern age of information.
What Is a Security Mind?
Unlike the mind that attempts to solve security issues by placing focus on a multitude of specific details, the security mind is a mind that focuses on what I call the fundamental virtues and rules of security. When someone attempts to focus on the dynamic details in each and every security issue, he or she will undoubtedly get lost in a never-ending pool of elements, making security impossible to achieve. When someone possesses a security mind, however, he or she looks beyond the dynamic elements in each situation and focuses on the virtues and rules, making security decisions that are clear, consistent, and effective. When you possess a security mind, your security solutions are less expensive, extremely effective, consistent, and have extended usefulness.
Security is dynamic by nature. This in turn makes the individual issues fairly complex and difficult to grasp in some situations. The virtues and rules, however, are a set of basic security principles, constant truths of security that stand at the border between good and bad decisions. Learning and practicing these rules can help us to easily and naturally develop an organization's security. This is the meaning of the security mind. This is what we will achieve through the course of this book.