Security Fundimentals

It's been a while. I haven't posted anything in over a month which is actually a good thing. Things have been very busy and seem to be getting more so. I've just come off doing a series of security assessments for a variety of organizations and have come to a realization - the information security industry is broken.

Now before you get all upset and start bombarding me with hate mail, let me explain. Security professionals often talk about being proactive. It is better to put security in place before something bad happens than after. I agree entirely. While we say this however, we spend a huge portion of our time encouraging reactive thinking. Even when we are being proactive, we are being reactive. That might not seem to make sense but think about this.

In my home office I have a collection of computer security books. Some are focused on various certifications so I'll ignore those for the purpose of this discussion. Of the remaining, I count 25 books. (No, that's not all my books but most are in my office at work). Of these 25 books, 23 are focused, in one way or another, on securing things by understanding how they can be compromised with a few focused exclusively on discussing how to compromise. Only two of the 25 (that's 8%) look at security from an exploit or attack independent perspective. One of these focuses on establishing metrics for security and the other on designing security around detection rather than protection. Let's take this further. Almost all of the news groups and email lists I am a part of focus on the newest vulnerabilities, attacks or victims. Most of the podcasts I look at take about penetration testing, computer forensics or social engineering. As I see it, we spend the vast majority of our time learning how bad stuff could happen then reacting to that knowledge. Hopefully, we are proactively reacting but we are reacting none the less. This creates a situation where "good" security can only be achieved by security experts who fully understand the threat landscape. Unfortunately, not all organizations have access to such people.

The other side of the security industry are the vendors of security technology. They often represent the ultimate in proactive action. They want to sell their products and rightly so. However, in doing so, they are often forced into a situation where they have the solution to a problem that may not exist (at least for any given customer) thus they often try to show the customer why they have a problem and then how "technology A" solves it. This creates a situation where security product implementation may not really match up with actual risk. This means security spend is not in line with risk reduction and potentially leaves areas of significant risk unmitigated.

If the security industry has three sides, the third would be regulation. In my opinion, most security regulations have combined the worst aspects of reactive security with a misalignment of controls vs. risk. Some regulatory writes a document that states, to varying degrees of detail, the controls that organizations need to put in place. Affected organizations then react to the regulation by implementing the mandated controls and completing their compliance checklist. They effectively replace security with compliance assuming they are one and the same. Unfortunately, they are not. The result, excessive spend that may not be in line with actual risk and that doesn't actually accomplish the security goals of the regulation.

So what are we missing? In my opinion, what we are missing is a set of basic, fundamental security measures that are easily understood, that can be implemented in virtually every environment and that don't require reading hundreds or thousands of pages of highly technical documentation to understand. Furthermore, these measures cannot be tied to specific technologies. Basically, I'm thinking of some basic uses of common technology and some operational processes that "everyone" can use. Some things that come to mind are:

- Segmenting the network based on business requirements
- Applying access controls to network segments
- Ingress AND egress filtering on firewalls
- Logging ALLOWED inbound & BLOCKED outbound firewall traffic
- Basic data classification measures
- Security incorporated into change control procedures
- Implementation of basic hardening standards for core technologies

The list can get longer but hopefully you get the idea. By putting together some basic guidance, the average IT person who also must deal with security has a good place to start. They can create a technical and operational environment that supports security by design rather than having to try to layer security on top of in inherently insecure environment using the vendor or regulation-recommended technology of the day.

Thoughts?