An Information Security Place

Commentary on the State of Information Security
Another successful admin / manager advice post - also touching on “good enough”
Filed under Firewalls, Old school, Security, UTM

I have posted a couple of times on how to be a successful security admin / manager (here and here).  Well, here is another one (ok, enough of the groans).

So, here is today’s advice: stick with the tried and true security.  There are methods of security that have been tested for quite a while now and have proven to be very effective strategies.  A few examples of this are defense-in-depth, risk management, and security awareness.  Let’s look at these a little closer:

  • Defense-in-depth: Basically, using multiple, varied, and complimentary security systems stacked in layers to defend against attacks.  This is a method that has been shown to be very effective.  The easiest example (though not the best) is to have anti-virus at the servers as well as the desktop so that a virus missed by one may be caught by the other.  Add into this mix a deep-inspection engine that checks the data as it travels across your network, and you have three layers of security (though you would probably want to make the A/V software at the server level different than the brand on the PCs, to actually have three layers, but I digress).

 

  • Risk Management: I really like PCMag’s definition of risk management and risk assessment, so here it is:

Risk management: The optimal allocation of resources to arrive at a cost-effective investment in defensive measures within an organization. Risk management minimizes both risk and costs.

Risk assessment:  report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A “risk analysis” is the process of arriving at a risk assessment, which is also called a “threat and risk assessment.” A “threat” is a harmful act such as the deployment of a virus or illegal network penetration. A “risk” is the expectation that a threat may succeed and the potential damage that can occur.

  • Security Awareness: An initiative that sets the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of security failure. Further, awareness reminds users of the importance of security and the procedures to be followed (this one came from here).

So, why did I bother to put down these definitions?  Let me explain.  There could be a number of reactions to these definitions, but let’s focus on two:

  1. You may have looked at these definitions and started yawning and complaining about old school security, a bunch of washed up geezers, etc.  or…
  2. Maybe you started reading them and wanted to see if the definitions put down were accurate

If you fall into camp 1, then you are probably pretty young or you have just started into security or both.  You fall squarely in the camp of those who believe the perimeter is dead and you may think that there will come some day soon (if if it isn’t already here) a device that will once and for all secure your network and let you relax a bit.  You probably think that many of the old security ways (including above) are not needed.  Just throw some money and security devices on the network and you are doing well.

Then there is the second camp.  You saw some old, familiar, comfortable definitions that really speak to you as central tenets of security.  You say, “hell yea!” when you see another example of these methods paying off.  You do you due diligence and either fill the gaps that appear in an assessment or you mitigate in other ways when the risk is not too high.

For the first camp, I say that you need to start paying attention to these old geezers.  These methods have not been around for this long for nothing.  UTMs are not the end-all-be-all.  NAC and NAP are not god-sends.  Many of these new security appliances fill gaps that exist.   But they are meant to do just that - fill the gaps.  Not be the whole of your security.  The perimeter is not disappearing.  It is still there, but it has started to become flexible.  Old school security guys really don’t have an issue with that.  But when you move all your defenses in the network and drop the external firewalls, then you need to be prepared for the consequences.  And they are coming.  The baddies follow trends, just like the good guys.

And new security people: don’t call us old school folks closed-minded.  A better term is experienced.

Vet
 

 

Posted by Michael Farnum on Tuesday, July 18th, 2006


  • « Experimenting with Wordpress Themes
    Is it the tool or the crook that is to blame? »
    • Creative Commons License
    An Information Security Place is licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.
    Powered by Wordpress and Blog Pixel Theme