I have posted a couple of times on how to be a successful security admin / manager (here and here). Well, here is another one (ok, enough of the groans).
So, here is today’s advice: stick with the tried and true security. There are methods of security that have been tested for quite a while now and have proven to be very effective strategies. A few examples of this are defense-in-depth, risk management, and security awareness. Let’s look at these a little closer:
- Defense-in-depth: Basically, using multiple, varied, and complimentary security systems stacked in layers to defend against attacks. This is a method that has been shown to be very effective. The easiest example (though not the best) is to have anti-virus at the servers as well as the desktop so that a virus missed by one may be caught by the other. Add into this mix a deep-inspection engine that checks the data as it travels across your network, and you have three layers of security (though you would probably want to make the A/V software at the server level different than the brand on the PCs, to actually have three layers, but I digress).
Â
- Risk Management: I really like PCMag’s definition of risk management and risk assessment, so here it is:
Risk management: The optimal allocation of resources to arrive at a cost-effective investment in defensive measures within an organization. Risk management minimizes both risk and costs.
Risk assessment:Â report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A “risk analysis” is the process of arriving at a risk assessment, which is also called a “threat and risk assessment.” A “threat” is a harmful act such as the deployment of a virus or illegal network penetration. A “risk” is the expectation that a threat may succeed and the potential damage that can occur.
- Security Awareness: An initiative that sets the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of security failure. Further, awareness reminds users of the importance of security and the procedures to be followed (this one came from here).
So, why did I bother to put down these definitions? Let me explain. There could be a number of reactions to these definitions, but let’s focus on two:
- You may have looked at these definitions and started yawning and complaining about old school security, a bunch of washed up geezers, etc. or…
- Maybe you started reading them and wanted to see if the definitions put down were accurate
If you fall into camp 1, then you are probably pretty young or you have just started into security or both. You fall squarely in the camp of those who believe the perimeter is dead and you may think that there will come some day soon (if if it isn’t already here) a device that will once and for all secure your network and let you relax a bit. You probably think that many of the old security ways (including above) are not needed. Just throw some money and security devices on the network and you are doing well.
Then there is the second camp. You saw some old, familiar, comfortable definitions that really speak to you as central tenets of security. You say, “hell yea!” when you see another example of these methods paying off. You do you due diligence and either fill the gaps that appear in an assessment or you mitigate in other ways when the risk is not too high.
For the first camp, I say that you need to start paying attention to these old geezers. These methods have not been around for this long for nothing. UTMs are not the end-all-be-all. NAC and NAP are not god-sends. Many of these new security appliances fill gaps that exist.  But they are meant to do just that - fill the gaps. Not be the whole of your security. The perimeter is not disappearing. It is still there, but it has started to become flexible. Old school security guys really don’t have an issue with that. But when you move all your defenses in the network and drop the external firewalls, then you need to be prepared for the consequences. And they are coming. The baddies follow trends, just like the good guys.
And new security people: don’t call us old school folks closed-minded. A better term is experienced.
Vet
Â
Â
The Success of the UTM
I have been on a kick about what security admins and managers have to do to sell security. And I posted a huge list the other day to help those same admins and managers start their own list of duties so they could get organized and possibly show the boss all the stuff they have to do day in and day out. (BTW, forgive the formatting of the list. The Blogger people royally screwed up some of my formatting during some maintenance they were performing today, and I am just too dang lazy to go fix it!)
So when you look at that list, you wonder how you can get it all done. Alan Shimel asks the same question here. I think the one fact that security admins and managers have so many chores and tasks and jobs to take care of is the biggest factor in UTM success.
Look at Chris Hoff’s post on UTM’s. One line from his post is, “If ‘good enough’ security is good enough, you have lots of UTM choices.”. I contend that the UTM is so attractive because “good enough” is what many (not most, but maybe not far off) security people are looking for in their security because they are strained and pulled and stretched and yanked in so many directions that “good enough” is all they have time for. Call it lazy or whatever, but the truth is there.
What Chris wants is for the good ol’ days of risk management to come back, where you identify your risks, you determine what your tolerance for each risk is, and then you determine what measures to put into place to mitigate those risks. I agree with Chris wholeheartedly. But the reality is that it just ain’t always possible, unless you want to work about 80 hours a week.
So, UTM looks good to that overworked (or oft times lazy) admin or manager, and they want their auditors and execs to see a cool piece of hardware that they can grab some reports from. So UTM it is.
That kinda leads into my next point.
Goverment Regulation Can Actually Hurt Security
I am sure someone has written about this, and I did find this post with a very quick Google search. It didn’t exactly address my point, but oh well. Anyway, my contention is that compliance with HIPAA, SOX, GLBA, etc. can often do more damage than good to the security posture of organizations. Now, this totally depends on some of what I mentioned above, namely whether or not the security admin / manager is lazy, overworked, etc. But basically, here’s the reason compliance can hurt more than help: it often causes the security department to reach for compliance INSTEAD of reaching for actual security.
Look at HIPAA. It has not one shred of actual technical advice. Most people say that is good because it allows for flexibility in the security approach. I agree. But if I am a lazy security guy or an overworked security guy whose boss tells him to make sure the company is compliant, then I may look at compliance in another way.
First, I do some research and find that many of these regs don’t have any real enforcement to them. I don’t tell the boss that because my job just might go flying out of the window. So, I write (or find on the Web) some policies and procedures that are HIPAA, SOX, whatever compliant, then I put in some security measures that look cool and give nice pretty reports, and then I can step back and say, “That should convince the auditors.” I have not hired a third party to come out and do a risk and gap analysis. I have not taken a look at what I am trying to secure and where best to place security measures. I don’t even really know what risks are there, so I have no idea what the companies tolerance for them are.
It basically becomes a game to LOOK compliant so you fool the auditors. Since you really don’t expect the HIPAA, SOX, GLBA police on your doorstep any day soon, why should that concern you?
But let’s look at this one more way. I have to honestly say that this does not just apply to lazy or overworked security admin / managers (though most of us are overworked). It soon simply becomes a realistic view. Maybe you are a hardworking security guru, and you are going to do your dead level best to secure the network, come hell or high water. So, you do the risk analysis with a third party, you determine your risk, you fill all the gaps as best you can, and you come out with a secure network that will stop a hacker dead in his tracks. But you stopped worrying about the reg-de-jour a while back, just like everyone else. And you have no regulation specific policies and procedures in place, even though you followed every ISO standard even remotely applicable to security since the history of man. And someone decides to give some teeth to the reg. What happens when eve your strong, secure network gets breached? You get busted.
Man, what a drag.
So, what’s the answer? To both problems above, the answer is more staff, more money, and more training put directly towards security. Executives, LISTEN UP! Let your people do what they need to do. Dedicate the resources on the front end, let the security people get your network secure from a practical and regulatory standpoint, then just keep it going. Your costs will decrease to a great degree after the initial push is complete. Yes, risks change, but not every risk will change at the same time. Yes, technology needs to be refreshed, but that is true of IT in general, and it is usually every three or four years. Yes, new regulations come up, but the infrastructure will be there to meet those. Get it done, and you will be secure. You will be able to flex and move with all these changes. Make the investment now. Please.
Vet
