Philosophy of Information Security: a Security Professional’s Perspective

I have been the information security leader for several organizations ranging from software development for the energy business to a major US west coast airport/seaport to a healthcare organization. During my tenure in these positions, I’ve found that a collection of philosophies continue to surface that I’ve come to use and rely upon to help me through the many challenges and decisions, but also to help me communicate the challenges, problems and solutions to my executive management.

Presented below are some key security philosophies and “mantras” I hold. They aren’t in any particular order or hierarchy, but I trust you will find them consistent with some of your own thoughts. Perhaps, though, you will see some new ones or at least learn some new ways to look at the problems and solutions we face today.

Philosophy #1: Protect the Data!
In today’s “information-based” society, it should be recognized that an enterprise runs on its “data.” In other words, without the data and its protection, the organization may not be successful. This data can include electronic data as well as documents and portable media. As important as this issue is, because of widespread awareness of its criticality, we won’t go further in this article.

Philosophy #2: The First Line of Defense is the Individual User
Every employee at a company who uses, moves, transports, files, disposes and creates information and data is critically important to the success of the data and information security program. The user’s actions or failures to act in some instances can result in exposing the company to some very risky situations.

What does this really mean to you – the security and disaster recovery manager? It means that you will only be successful if you make the individual user part of your line of defense.

How do you do this? The approaches are pretty straightforward.

For instance, you can begin with a strong appropriate use policy that lets the user know what they can do, cannot do, and what they are obligated to do regarding company computers, portable media, and business information in general. This procedure or policy needs to raise the importance of the individual from “just a typist” to someone who can immediately identify a threat to the company when they see an issue that just doesn’t seem right – such as a strange series of emails or abrupt changes in the performance of their workstation, etc.

Also, the individual user is usually the one with the laptop computer or USB flash drive that if lost can cause substantial financial harm to the company as well as a serious negative consequence to the company’s stock prices and reputation.

For example, with fraudulent credit card use, the maximum financial threat to a company for abuse of the card should not exceed $1,000. Unfortunately, the loss of a laptop or USB flash drive with 1000 names on it could result in about $197,000 of financial impact using cost per breached name information from the Ponemon Institute (www.ponemon.org) where they have identified a dollar-per-name breach cost of $197.

You cannot do this alone! You need to train, educate, and reeducate your employees on how they can defend the computer/information security of the company in the ways they use their computers, handle their USB drives, and secure their laptops.

Philosophy #3: Be a Little Skeptical – Look at All New Projects, Programs, Tools, etc. with a Jaded Eye
Although you may have heard this adage a few times during your career, today’s security professional really needs to increase their sensitivity in this area because the new ideas in the marketplace are more subtle in their threats and problems due to “unintended consequences.”

Organized crime has been accused of using social network sites for group targeting and or distribution of computer worms/malware. For instance, MySpace was attacked by the “Sammy Worm” that helped the individual obtain over 1 million “friends” in less than one day and severely impact the MySpace network availability.

Another less obvious concern about such sites as Linked In is that this site could be used for social engineering to attack a company. The attacker could use this information for such things as organization chart development, organizational links between individuals, favorite personal interests, etc. to ultimately be used for targeted identify theft, espionage, blackmail, etc.

The point being made is that you need to look at any tool, application, etc. the same way a “bad guy” will look at this new idea. As the security professional – aka the paid professional paranoid – you need to be very skeptical with these ideas and look for ways to abuse the tool or idea and ways to help the attacker make money, steal identities, etc. Then your role is to help ensure mitigation is built into the system in question.

Philosophy #4: If it’s Really Convenient Then Security is Usually Missing
Unfortunately, as I continue to work as a CISO, I am also finding that as a system or feature increases the convenience, in many cases it reduces the security and in turn raises the risk profile of the organization.

My friend Mr. Kirk Bailey, CISO for the University of Washington, and I have been working on a security model showing security versus convenience and the impact of these elements on liability for the corporation. In short, our conclusion is that as convenience is built into some systems, the result is reduced security and consequentially increased risk. We’ve seen this in such things as wireless LANs. In the early days of wireless, the convenience of using your laptop just about anywhere was fantastic. Unfortunately it also revealed such things as easier man-in-the-middle attacks where individuals could eavesdrop on computer conversations that were otherwise protected on the hardwired LAN.

Philosophy #5: Include Security Early and Often in your Projects
The cost of fixing a problem after a project has been implemented and underway is a lot more expensive than fixing it in the design phase. The same applies to security. It is really in your company’s long-term interest to include the Software Development Life Cycle (SDLC) model in your application development and implementation projects. The SDLC approach will include security review early in the project – especially during design review, architecture analysis and threat modeling.

Inclusion of security and disaster recovery overview early in the project is especially important for applications and projects that are extremely critical for the business or mandate high reliability and availability. In addition, sensitive data, if lost or breached, would be very expensive for the company.

Lastly, being involved early in the project also helps to minimize surprises and keep costs down. The threat of a cost overrun is reduced because the probability of the project being shut down due to the “surprise security review” on “go live” day is very low.

Philosophy #6: Web Applications are the Cybercriminal’s Target

Have you heard about Web 2.0? If not, this is the “new” web application environment we are seeing around us today with emphasis on creative use of the internet, and collaboration among users. Hosted services, social networking sites, wikis, blogs and folksonomies are part of this new thing called Web 2.0. Unfortunately as the internet moves towards more web sites, more web applications and more web-based collaborations, the worldwide cybercriminal communities are taking aim at these new tools of the internet because of built-in flaws, easily compromised vulnerabilities, and tons of interesting data that can be used for identity theft and monetary gain.

Symantec performs semi-annual reviews of the security risks, threats and challenges with a focus on the internet. For the past few years Symantec has noted that almost 60 percent of vulnerabilities on the Internet affected Web applications and of these vulnerabilities, 73 percent were classified as easily exploitable. The message they are trying to send is that a majority of the vulnerabilities on the web are with web applications and most of the time they are easy to take advantage of.

So, what do I do with this philosophy? As a CISO I look to Philosophy #2 and train the web application developers on how to design and build secure code. I also have the security and QA staff test the applications with automated tools and even manual code reviews for the most sensitive applications in order to fix the vulnerabilities and really tighten down on the application so that it does not become another statistic.

Philosophy #7: Assume Breach (or according to the Boy Scouts, BE PREPARED)
This final philosophy can be one of the most difficult to grasp and understand. Again, my security mentor, Kirk Bailey, has helped me understand that this philosophy is a useful one – even though it makes you worry more about the current status of your data.

Essentially this philosophy reinforces the theme of being prepared for your next major data breach or next major security event or disaster. By always assuming there has been a breach of your data – somehow, somewhere, someplace, sometime – then you are constantly looking for evidence of the breach; and ready for the event and “teed up” to respond, react and increase your protective stance.

One could argue that some if not most of the data breaches we’ve seen in today’s environment would have less of a negative impact on the corporation if they maintained this stance. In one example, a major corporation had two laptops lost within a few months of each other. Perhaps a focus on always assuming breach – even if they thought they fixed the problem the first time – would allow them to be very quick to react and perhaps minimize the impact of the public criticism of the company for making the same error a second time?

Conclusion
These philosophies may not be “perfect,” but I’ve found them to help me be a successful security professional. Because I have a “jaded eye” and recognize that a “new, good deal” may not be so good after all, at least I can help prepare the organization for costs to fix identified problems or better yet, prevent a data breach or security fault in the long run.

These philosophies will give you a taste of true strategic security requirements. Perhaps they can be useful for you.