Thus far, we have been reviewing some basic information about the problems faced in the world of information security. The purpose of this book is not, however, to dwell on the problems of the world, but rather to help solve them. So now, let's store all this information in the back of our minds, breathe in some clean, fresh air, and get our hands dirty with what we came here for: solutions. How do we successfully implement and manage security? How do we work to overcome the failings of the commoner's security practices? It's time we begin to look at the security mind.
Yes, you too can be secure. It can it be done, and indeed it has been done time and again. Some organizations with the smallest IT budget imaginable have maintained consistently strong security practices. There have been international giants who have managed to maintain a strong level of security across their many organizations with minimal effort, impact, and cost. Of course, there have also been a fair number of Fortune 500 companies with unlimited funding and resources for security that still could not keep a cow out of their building. So what's the trick? What is the difference between the organization that is secure and the organization that becomes a hacker's playground? How do some companies seem to maintain strong security practices with minimal resources while others spend millions in defenses with no effect? It's all about focus.
Yes, large budgets are nice to have, and the line of security experts at the office door asking for employment is great, but these things mean nothing if an organization does not first become security focused. It is similar to building a castle: We take a plot of land, erect some 50-foot stone walls, dig a huge moat, and pay people to sit in the towers with bows and arrows and shoot anything that swims. Having followed the manual "Securing the Castle, Step-by-Step," we are quite confident in our defensive capabilities. So, the following day, our king decides to celebrate with some games and a festival. He orders that unsightly moat to be covered up, the catapults to be filled with potted plants, and the walls to be lowered, providing easy access for the royal guests. When hiring the festival staff, he chooses to put that shady and questionable man who speaks in foreign languages and seems all too interested in where the treasure is hidden in charge of the front gate.
It is easy to see that the security problem with our kingdom has nothing to do with how high we built the walls, how deep we dug the moat, or how strong we made the gate. Our security nightmares have nothing to do with any of our new fortifications or the design of the castle. Our king simply did not maintain a security focus! And, like many organizations today, our king will not give security another thought until his enemies are washing their socks in the royal bathtub.
Following the Virtues and Rules
So what exactly should we focus on to protect ourselves from hackers? To have any hope of being secure, we must focus on a few basic underlying principles of security. Placing our focus on these principles keeps our security practices dynamic, thorough, and simple, and allows us to take a "complete" approach to addressing security issues. This brings us back to the virtues and rules of security.
When a consultant or employee is only able to grasp how to dissect and combat the newest security threat that appeared last week, that individual may be skilled, but the action is of little value in the bigger picture. If, however, someone is able to grasp the concepts, virtues, and rules of security, and prevent a threat before it is even conceived, that person has a security mind. That is the goal of this book: to develop a security mind and help prevent security issues before they are even conceived by attackers.
There are four underlying virtues of security. If observed and practiced, these virtues will provide the reader with incredible tools for understanding and practicing information security. Virtues are fairly broad in scope and should guide the security practices of everyone within the environment. In the countless instances where I have seen security fall and crumble against opposing forces, it can be traced back to one of these virtues that was not known or practiced. Upholding these virtues is essential to the development of a security mind and the ability to protect ourselves from attack.
The security rules are the fundamental security practices that must be considered when any security decision is made. These are the actual tools, derived from the virtues, which we will use to keep ourselves safe. There are thousands of security decisions to be made in any given year, and no two are exactly alike. It is not advisable, nor indeed possible, for an individual to become an expert in the security practices of each and every information field in existence. Instead, we need to build a fundamental structure through which the best security decisions can be made with the minimal required effort. Thus, we have the development of the security rules. By walking through a logical series of steps related to the rules, we can quickly and easily ascertain the proper security solution in almost any situation. Similar to the virtues, the security rules are fundamental and will help grow the security practices of an environment through logical and dynamic processes. Unlike the virtues, however, the rules are fairly specific in their instruction and execution. If followed correctly, the rules will guide the process of building and maintaining a safe and secure environment. When the rules become incorporated in everyday thought processes, decisions will be in line with the best security practices.