The Virtue of Community Effort

In the Virtue of Community Effort, there are two communities that affect and are affected by the security practices within an environment. These are what we call the inner community, which is made up of us, our end-users, and our executives, and the public, or outer community, which consists of the IT world outside of our perimeter boundaries. Each of these communities plays a very large role in the practice of security within an organization.

The idea of security being a community effort cannot be overemphasized. It may not be obvious at first, but the majority of information security issues within systems and networks across the world come from other groups that have failed to participate in either of the security communities.

Our Role in the Inner Security Community

Security cannot be accomplished by security professionals alone. It would be quite impossible for us to widen our focus and watch for every security issue with every system, device, connection, and physical area in an entire environment. It is a fatal flaw I have seen over and over again that security administrators, managers, and chief information officer's (CIOs) desire to work independently of the "troublesome end-users." Involvement of the users is an essential component to the success of any good security practice. The end-users are our valuable allies, our eyes and ears, and indeed, our gatekeepers. Every desktop, phone line, and locked door that is put to use by an end-user is a virtual gateway into the kingdom. It is vital that these people remain on our side of the war.

One of our most important roles of a security practitioner is to integrate the end-users into the local security practices. We must empower them to take active roles in the maintenance of security and inspire them to be allies in our cause. I discuss this in more detail later when we discuss education. For now, I will simply express that the end-users can be our best friends or indeed our greatest enemies, depending on how we decide to deal with them, and where and when we decide to include them.

Our Role in the Outer Security Community

Many times, the organization with good security practices is compromised by a lack of security from other organizations that have ineffective or nonexistent security practices. It is nearly impossible to trace good hackers because they operate through a long, winding trail of poorly secured systems and can rarely be traced back to a hideout. Remember those movies where the FBI agents run a phone trace back to the criminal, but it must first bounce through a chain of phone calls through 20 different countries before they find out that he or she is actually calling from a phone booth on the corner? Well, this spy movie tactic is all too real in cyberspace. Most systems that are compromised are simply used to launch other attacks against other systems within other organizations. The first thing a successful hacker will commonly do is usurp a group of poorly secured and "unimportant" systems to act as his or her minions for future attacks. And guess what? Each of these poorly secured systems was administered by someone who did not participate in the outer security community, and now it's becoming our problem because their systems are now attacking us.

Our role in the outer security community is very simple: Keep ourselves safe so that others will be safe from us. It is not required that we go out of our way to ensure the safety of the rest of the world, but it is important and oftentimes motivating to understand that the security within our own environment echoes in the security of organizations across the world. Through the process of being conscious and aware of the security around us, we are much better equipped to handle the security issues within the local environment.

Practicing This Virtue

To participate in security communities, we must first start with the realization that we are not alone, nor should we be. We must be willing to give and receive information with others, inside and outside the environment. This helps to solve local issues, and at the same time, has a profound impact on all security issues everywhere. The following simple steps will greatly benefit the security of all environments:

• Keep informed Everyday, have someone spend 10 minutes checking your organization's favorite security watch sites to assess if the latest security vulnerabilities and countermeasures are applicable to the environment. For even better results, have that person discuss these issues in weekly meetings. You will find a list of recommended information sources in Appendix A, Tips on Keeping Up-to-Date.

• Inform others There will be a time when you see suspicious activities on your systems or networks coming from somewhere on the "outside." Believe it or not, information on this attack (or attempted attack) could be invaluable to the rest of the security community. For example, one of the most popular incident response Web sites posts, in real-time, the addresses from which the most attacks have been reported. It is becoming common for security administrators, first thing in the morning, to check these lists and include the addresses in their security filters. You will find a list of recommended posting locations in Appendix A as well.

  Of course, you must be intelligent about such postings as to not give away valuable or sensitive information about your own environment.

• Keep up-to-date This is not to say that you should run out and install every new patch that becomes available. Rather, it is to make the point that if there is a major security issue out there, it is only a question of time before you are targeted. Be intelligent in choosing what to update, but be consistent in keeping your systems up-to-date and safe from serious security flaws. If it is not possible to patch your system, seek an alternative countermeasure. Never ignore a security problem, because vulnerabilities don't go away by themselves. It is through the simplest and most easily remedied security vulnerabilities that the most destructive and widespread attacks have spawned.

• Inform end-users Informing end-users is one of the primary responsibilities of the inner community. Encourage the end-users to be "security-aware" and enlist their aid when dealing with security issues. This also includes end-user training, which is discussed in a later section.

• Make group-based decisions Since security touches just about every aspect of IT, it is not wise to make important security decisions alone. Network-based decisions should include a network engineer; policy-based decisions should include the input of local executives; and end-user-based decisions should solicit input from real end-users.