TISC Insight, Volume 3, Issue 11

Welcome to Volume 3, Issue 10 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.

TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.

Enjoy, and be safe,

Dave

Over the past several years, you have been told that in order to make your company secure you must (in no special order):

• Establish a "security organization" run by the toughest czar you can find
• Have better security processes and strict penalties for violations
• Place all your systems in a bunker
• Run all your communications over a VPN
• Encrypt everything, everywhere, all the time
• Use tougher firewalls
• Scan every bit of data coming or going for security breaches or viruses
• Use non-repudiable authentication

Dutifully, you have hired the best security czar available and have created corporate security processes, and implemented employee policies with severe penalties for violating corporate security. You've placed all your systems in a physically secured co-location center, invested a fortune in security technology. You monitor every system; encrypt everything, even in transit. But unless you employed all of this with a judicious quantity of reality, what you may have created is False Security.

When Good Intentions Fail

False security occurs when security technology, processes, or implementations fail to deal with business or operational realties. To clarify, consider these examples, drawn from real life:

• The link encryptors you chose to deploy are extremely difficult to synchronize and thus are often bypassed for hours - in direct contradiction of policy - in order to allow critical business processes, such as quarterly business data that must be received in time to close the books, to complete.
• You implement a user password policy that locks out all users after three attempts. A disgruntled employee writes a simple denial-of-service script that tries each employee account three times, thereby shutting down the entire corporate IS infrastructure by locking out all employees.
• Your key employees all require accounts on 5 to 15 systems to perform their monthly tasks. You require all users to employ a random password generating routine to change their passwords every three months. A cursory pass through the office reveals that most of your key employees have written down every one of their passwords somewhere at their desk or on their person, because most humans simply cannot remember this many random passwords.
• Your employees require continuous access to the systems in your co-location center to maintain your online-trading financials. The co-location center is fully online and you have redundant links from two different carriers. Your corporate offices suddenly cannot connect to the colo center. You notice a backhoe digging in the street in front of the office, and discover the hard way that you have two access circuits, but only one physical path.

Security As A Roadblock

Most damaging of all is when your security processes block your business strategies or opportunities. Consider the following examples

• To jump ahead of competition, you embark upon a business strategy to provide the employees of your corporate customers with direct access to their system data on your servers. But you are also in the process of implementing a PKI authentication service, and your certificate-based authentication processes have been set up to require "your" corporate employee identifier in a custom extended attribute field.
• Your VP of Sales is in Dubai trying close amjor regional sale. The potential customer does not require the capabilities of the system originally proposed, but with some minor re-engineering, your company can satisfy their requirements by delivering amch cheaper alternative. Rising from bed in the morning, your VP steps on her card key, destroying it. Without it, she cannot access her email and thus goes into the final negotiations not knowing that engineering has re-analyzed client requirements and can deliver the solution required. You lose the sale.

Avoiding False Security

The first key to avoiding False Security is to have definable security strategies for the major areas of security within your corporation: system and user authentication, encryption, data access controls, physical access controls, external access, etc. Acknowledge that these security strategies must be subordinate to the corporate business strategy, or give up now. By subordinate, I mean that the security strategy must support the business goals and any security measures implemented must show a positive cost-benefit ratio. Simply stated, in the real world, I cannot expect to deploy "perfect security"; rather, I must seek to deploy security that is in line with my business risks and associated costs.

A good example of security strategy that is in line with risk can be seen in the banking industry. After all, banks have had about 200 years to figure out the risk/cost/reward equation. Of course, we all "know" that banks are secure, right? I live in Washington state; we have over 200 bank robberies every year, one amst every business day. But I believe that the banking industry has done a number of things right. First, bankers realized that they could never stop all the robberies. Over time, banks adopted a set of strategies that control the risks associated with a robbery, including the following:

• Compartmentalize assets, so that the take is generally small, by limiting the cash available in one location
• Employ the best alam systems available
• Utilize technology to record the theft and trace the robbers
• Train employees exactly how to respond in order to minimize danger to themselves and other customers
• Establish processes to coordinate with law enforcement needs and yet have a branch back to full operation in amtter of hours

I believe this is the type of thinking that is needed in the network security industry. There is no "false security" here; banks meet the reality of business operation needs, while at the same time reducing risks and containing both financial and human costs.

Defining A Strategy

In every successful corporation, there exists a very definable hierarchy of goals, strategy, and technology. In all cases, security is subordinate to the business:

• Business Goals

  o Business Strategy

  § Security Goals

  · Security Strategy

  o Security Process

  o Security Technology

When you get around to hiring that "security czar", you may want to ask if he or she is familiar with Sun-tzu's principles of strategy. Sun-tzu set down principles of strategy 5,000 years ago in the Art of War that remain required reading for all US military academies. The Art of War is about using strategy that leverages your own strengths to obtain your goals. The strategies Sun-tzu discusses apply to modern business today.

Security tacticians employ technologies to win battles in our ongoing war in cyber space. But remember that American Civil War General Robert E. Lee, considered to be one of the greatest tacticians of all times, was no strategist. His opponent, General Ulysses S. Grant, wasn't a great strategist, but he did understand and appreciate strategy. Grant looked "the big picture" and formulated a few keys strategies that ultimately defeated Lee and won the war.

Strategy considers your whole corporation: goals, business plans, culture, strengths, weakness, technologies; partners, suppliers, etc. Seemingly small process changes or technology applications, performed as part of an overall corporate security strategy, will make large security improvements at small cost. Ultimately, security is not about technologies like VPNs, smart cards, secure protocols, firewalls, or bunkered colo's. Security is about defining a strategy that supports your corporate business, a strategy that acknowledges your weaknesses while utilizing your strengths to build a security infrastructure that maximizes the corporate bottom line.

>Involvement Is Key

Security threats will never go away and security measures will never be perfect. The final key in developing "real security", instead of "false security", is a corporate team approach that crosses every organization, from the CEO's office down. If security is not a prime consideration in daily business operations for every single employee, then your corporation lacks a creditable security program to support your corporation's business goals. It takes only one weak link in the chain from top to bottom to allow "cyber pirates" to seize your corporate intellectual wealth or blockade your new business strategy. Corporate management must lead in defining security goals for the corporation's business strategy to succeed. And once established, they MUST support them. Finally if these goals are not embodied in a security strategy and program that is grounded in the reality of your day-to-day business operations; then I submit that your corporate security program has created False Security.