The Virtue of Daily Consideration

Previous page
Table of content
Next page
graphics/virtue1_icon.gif

Making security a daily consideration solves the vast majority of security issues an organization will face. All the talent and wiz-bang technical gadgets in the world will be of little use if they are not used in conjunction with this primary virtue. As we continue through this book, I will delve into several vital concepts for building and maintaining a secure environment. These concepts will prove to be of great value, but only if they are remembered, considered, and practiced on a daily basis.

Within the Virtue of Daily Consideration is the chance for organizations to break away from the fatal patterns that are so easy to fall into. Many organizations avoid addressing security issues because they consider security to be impossible to maintain, requiring an unending cash flow while sucking up valuable time and resources. This negative image of security, however, has only been manifested through numerous organizations that have embraced a "reactive philosophy of security." We can ensure that an organization does not fall into such a trap by promoting a proactive security posture that solves the most common security issues automatically and without effort.

The Seven Steps of Doom

In my experience as a security consultant, the organizations with the most security issues are those that have not followed this virtue. Most of them are locked in a circular bind that drains money and resources while producing no results. Look at almost any company that has sunk large budgets into their security and yet are still vulnerable to attack, and this pattern will appear:

Step 1. Do something without thinking about security.

Step 2. Get hacked.

Step 3. Discover that what was done in Step 1 introduced a security flaw that allowed Step 2 to happen.

Step 4. Secure the organization against the specific attack in Step 2.

This four-step cycle is then followed by a three-step cycle:

Step 5. Wait.

Step 6. Get hacked again.

Step 7. Find out that while waiting in Step 5, another new hack was developed relating to what was done in Step 1.

graphics/03fig01_icon.gif

How simple it all seems, and how simple it all really is. This fatal seven-step process that organizations tend to manifest creates an unending cycle of lost time, lost money, and lost sleep. This is the origin of phrases like the following: "Security is too expensive" and "Security is unachievable." This is a pattern that must be avoided at all costs. Lucky for us, we can easily avoid this vicious circle by simply adopting the proper focus and giving security its daily consideration.

The Three Steps to Success

If we do anything in security if we could have only one goal to set for our organization that will have the most profound impact we must simply break away from the seven-step cycle. Avoiding this infinite trap can be accomplished by slightly modifying the first three steps:

Step 1. Think about security.

Step 2. Do something (while still thinking about security).

Step 3. Continue to think about security.

In other words, we can avoid the vast majority of security issues that plague the average organization by making security a daily consideration. Understand that this simple three-step process will take a relatively small amount of time and could prevent most of the attacks that have affected organizations all over the world. To practice these three steps, we simply need to train our minds to think about security at all times. We must maintain a security focus.

Considering Security in Everything

Most security issues are not normally visible or apparent until they are exploited. This is one of those things that keeps security professionals constantly on their toes. The most devastating security vulnerabilities are the ones that have no obvious relationship to security at all. When we place a new Internet connection into the network, everyone is jumping and screaming about the security issues. But when a new device is installed with a tunneling capability that bypasses all security, no one thinks twice. The deadliest vulnerabilities are those that don't raise a flag until an attack.

Today, security must be considered in everything and at every moment. Simple objects added to or removed from a network can serve to bypass all the security that has been put in place. Temporarily attaching a modem to a router can bypass hundreds of thousands of dollars of perimeter security devices. We must gain control of our environment by programming this primary security virtue into our minds and the minds of everyone around us.

Practicing This Virtue

The Virtue of Daily Consideration is our only hope of building and maintaining a secure environment. Throughout the rest of this book, I will continue to describe how to make security a daily consideration within an organization, and how to use and reuse simple concepts that will keep an environment safe. For now, here are some simple steps to make security a daily consideration:

  • Make security a continual thought As we move forward through this book, visualize each concept as it applies in your daily environment. Think of everything your organization does and make every technical decision with the concept of security in mind. Constantly ask the question, "Could this affect the security of my organization?"

  • Encourage others to be continually mindful of security Spread the concept of security to the rest of the organization. Start including the word "security" in everything. Include security references on the intranet home page; have a security "thought of the day" in the weekly employee newsletter. You can even go so far as to tape little security reminder signs in places where people look. For security to be a daily consideration, the word must be at the tip of the brain at all times, even if it is simply to laugh at the little security sign that someone hangs in the restroom.

  • Formally include security in all new projects Add a small addendum called "Security Considerations" to any new project, proposal, or service involving technology in the environment. Those people introducing the concept, as well as those considering it or reviewing it, should be required to discuss and document any potential security side effects. If there are absolutely no security impacts, these same individuals must document this fact to indicate that they have taken security into consideration.

  • Formally include security in all new implementations Make it a requirement that, before any new equipment, application, service, or operating system is attached to devices and networks, it must first be approved by someone or go through some formal approval process. This approval process can be extremely fast and easy, but it must include a quick check on the Internet for security issues. You can read more on this in the Rule of Change section in the next chapter.


Previous page
Table of content
Next page
Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy