Ascension Blog

I stumbled across a good article today in the New Zealand version of Computer World that dealt with some of the issues facing the security industry in this economic downturn.  While it is an interesting article, I believe that it has missed the mark.  The article details how companies are cutting back on staff and looking to consolidate their security products in a cost reducing move.  Let me share a quote from Craig Shumard, CISO at Cigna which was found in the article:

“The security product stack has become unsustainable,” he says. “I’ve challenged every vendor that I’ve met with recently to help me define the seven or eight products that we need to achieve the same level of security that we have today. We can’t continue to operate 15 to 25 (or more) security products. I don’t believe that we can continue to just add new security products to the environment and expect that we will use them effectively. I keep visualizing the Leaning Tower of Pisa. Maybe the security control tower is standing today. I think that if we keep adding products, the tower will fall over and bury the folks trying to manage it.”

No on the surface I don’t have any problems with this statement.  I’m in complete agreement with it but when I read between the lines what I see is something that I call “The Silver Bullet Syndrome.”

The Silver Bullet Syndrome is the constant search for the product that slays the security monster.   In part this is fueled by the security industry itself.  Vendors try to sell products that will take care of your security woes and push single point solutions.  That is how companies wind up with 15 to 25 or more different security products within their environments.  Along with these products you need the staff in order to be able to run them. 

Now don’t get me wrong, I’m not anti-technology.  I do believe that we need and are in some way very dependent upon security products in order to get the job done.  What I don’t believe is that these products are the solution to the security problem.  What I do believe is that people are the biggest and most important part of the security equation.  The article did give brief mention of this at the end but I don’t think it placed the proper emphasis on it especially in light of the very strong quotes it used in two thirds of the article. 

Let’s look at a few of the things that you can to do improve the security of your environment without purchasing an additional product or tool:

·         Harden your systems.  Many of the companies that I’ve worked with do not give any thought to hardening their systems and when they do they do so just before they are ready to go into production.  Hardening needs to occur just after the operating system is installed and all the patches are applied – before any applications are installed.  Then a review needs to be done after each and every change or install to remove or disable any unnecessary services.  Will this result in a longer time to stand up a server? Yes but not as long as if you wait until it is ready to go into production and you are less likely to miss unnecessary services if you wait until the end of the process to harden.

·         Control the flow of information within, into, and out of your network.  You already have the means to do this with the network devices you already own.  Do you know what sort of information should be flowing where on your network?  Have you configured your routers to allow this information and nothing else?  You may say “Why should I block this particular port from this segment, nothing on that segment uses it anyway? “  That may be true now but the next worm that comes along may just use that port to try and gain access.  If you’ve properly hardened your systems you will probably be okay but it doesn’t cost you anything to practice defense-in-depth in this manner and just may save your bacon if a needed patch or upgrade makes a machine susceptible to that attack in the future.

·         Practice the principle of Least Privilege.  Do you ensure that all users – no matter their role – have all the rights they need and no more?  Don’t let someone tell you that they need full administrative rights or SAP All when they only need an expanded subset of privileged rights.  Accounts receivable may need access to accounts payable records on those rare occasions when they do need to help out with greater than expected work flow but that is easily turned on and off as needed rather than leaving it in place all the time. 

·         Awareness and Training.  I debated mentioning this because in some sense it may require the expenditure of additional money to achieve the proper level of role specific training.  I do believe though that investing in increasing the knowledge base of your staff is more of an investment that is expected to increase in value.  Knowledge share between employees and departments can be done without cost and may go a long way to building a greater sense of community beyond team or division lines.

·         Policy and Procedure – Okay all the technical guys out there just gave a collective groan.  In a way I can understand that but let me say that everything that happens within a network environment must be backed up by policy and procedure – especially the security activities.  The reason is that if you do indeed catch someone doing something wrong you better have the appropriate framework and authorizations to monitor, inspect, and collect the information on the network or your violator may just get away with it.  This said, don’t go overboard with it either.   You need to have an appropriate level of detail for the legal and regulatory environment in which you work of course and to ensure that it is to be clearly understood but no more.   You don’t judge documentation by its weight but by its content.

Okay these are some of the basic things you can do without buying additional tools or security products.  What they all have in common is the human factor.  They require a knowledgeable human or groups of humans in order to implement them correctly.  The knowledge gained from doing these correctly can in turn help you make better decisions when you decide to purchase and implement a new tool or security product.  A product that may work well with one system may not seem to be the best choice considering the whole environment.  You may need to choose less functionality with a single system to gain increased application across the entire environment.  Either way you’ve started with the best security control that you have in your entire organization – the human one. 

 

Tags: Awareness and Training, Cigna, Craig Shumard, Information Flow Control, Least Privilege, Policy and Procedure, security products, security vendors, Silver Bullet, System Hardening

This entry was posted on Tuesday, February 17th, 2009 at 10:45 and is filed under General, Recent News.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.