Security is not a Product You Buy        [ PDF ]
By Erik Petersen

One of the most common management mistakes regarding security is to think security is a product you buy. Corporations know they must spend money to secure their information assets, but they often misspend their money on a hodgepodge of security products, leaving gaping holes for hackers and insiders to walk right through.

You must have a Security Policy

Any company of any size must have a security policy. If there is no policy, there is no security strategy, and without a strategy, departments will aimlessly purchase security products to satisfy narrowly focused tactical needs. A good security policy clearly spells out the security goals for everyone in the organization, but it spells out the goals broadly.

For example, every company should have a password policy. The policy should state the need for password complexity, what the complexity entails, when the passwords expire, and password storage (not on a sticky pad in the top drawer, or under the keyboard!) But there are many ways to implement a password policy like this, so the policy should not go into details regarding implementation. Implementation will vary with the technology. For example, password maintenance will be handled differently in a Public Key Infrastructure than it will be on a workstation. A policy should not go into hardware specific details. Hardware changes all the time. The need for a certain level of password protection does not.

A corporation should see its security policy as an opportunity to explain to everyone, in every division, what the unifying information security strategy is, and then leave it to those divisions to develop the right tactics to satisfy the strategy.

The Organization must have Security Awareness

Security policies are useless if they are being distributed to a people who do not know anything about security, or do not care. Strategies will fail when the managers who must develop the tactics try to do so in a vacuum. The answer to this problem is simple-education. Consider this real world example; you pour all of your resources into enterprise wide security applications-PKI, IDS's, Firewalls, etc.-but neglect training and awareness. One day someone with a very convincing story calls a secretary and asks her for a password for the VPN. She wants to be helpful, so she gives it out. This is called "social engineering" in the hacker world, and it happens all the time. Most hackers learn how to sound convincing, talk particular company jargon, and impersonate superiors.

A security awareness program should be well advertised and distributed, even to the most general users. The entire company must be kept up to date on new policies, standards, and new procedures, and when these new procedures are implemented, the users must be trained.

Risk Analysis and Risk Assessment

Before your company can develop a security strategy, it must understand what needs to be protected. What are your key assets? What is the company mission? What information must be secured to protect those assets and ensure the mission can be accomplished? After these questions are answered, a comprehensive risk evaluation is essential. A risk evaluation should allow an organization to see:

It is critical to understand what assets need to be protected, the internal and external threats to those assets, and an understanding of where the organization is most vulnerable. Proper risk analysis allows for focused risk assessment. Risk assessment should be comprehensive, and touch upon all elements of intrusion, from network based penetration, to social engineering.

Technology Evaluation

Regretfully, there is no way around this fact. If you do want security it is very likely that you will need to acquire security technology. Someday, security will be built into technology, but that day seems years away. Any enterprise system will need to be secured with some of the standard technology tools such as firewalls, virtual private networks, vulnerability scanning tools, intrusion detection systems, access control tools, public key infrastructure, encryption, etc. But products are not enough, and they do not, in and of themselves, buy you security. All too often we have consulted for companies that have spent a sizable portion of their budget on security technology that they did not implement correctly. On one consulting engagement we found that just one misconfiguration allowed a straight shot from the internet, through two firewalls, and right into the precious interior IBM AS/400 Mainframe, bypassing the intrusion detection systems. Another typical technology mistake is not using the existing foundation to add layers of security. In other words, it is a waste to spend money on good security technology only to surround it with old, easily penetrated, cracked systems, which expose the expensive new technology to easy intrusion. Routers and operating systems, for example, should be hardened or native encryption enabled.

What is the key to Security?

Process, Process, Process! If you are going to take securing your information assets seriously, you will have to depend on a strong management process, education, assessment, awareness, and, yes, sound technology. Security must be an ongoing iterative cycle; creating new processes, editing old ones, developing new tactics to address new threats. And most important of all, security must include everyone in the organization, from top to bottom.

Unless information security is a corporate and management goal, turned into a process, and then engineered into the enterprise, a company exposes its mission and its assets to considerable risk.