Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for December:

Be mindful of the security message you deliver to your customers and how it is interpreted

Rallying your populace to be security savvy is a worthwhile investment and must be approached with the appropriate diligence. It is not enough to haphazardly deliver security information and walk away. If it is perceived as ‘junk-mail’, it will be treated as such. Information security must be understood and applied in order to make a difference. This embrace will only occur if the audience understands not only the message, but also why it is important and the overall context. Every good communication program draws in the audience by letting them know how it applies and benefits them.

If we want to be successful, we have an obligation to understand what is being absorbed and how it is being interpreted.

Andy, ITGuy has a great post (check out the picture for a good laugh).

“How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us”.  This is key, as ultimately it is a partnership between dedicated security folks and the organization they protect.

Additionally, Mike Rothman has some great follow-up comments which I think nails the right perspective:

“effective communication is based upon the perception of the person on the other end”. Sounds basic, but how often do we ignore this fundamental principle in our rush to deliver our message?

If you are interested in good security insights, consider subscribing to Andy,ITGuy and Mike Rothman’s blogs. They mix perspective, humor, to timely issues.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Here is my Fortune Cookie advice for November:

When it comes to employees and how securely they use their system, "trust, but verify".

We give them tools, harden their software, teach them good security practices, and reward them for safe behaviors. But end users may still cause great harm to their computers and more severely, the organizations data, systems, and operations. Trust must exist, but every security pro worth his salt, is paranoid with good reason.

It is not practical to wall out our own users. Some level of trust must exist. I believe the right balance for most organizations which maintain mature foundational controls, is to “trust, but verify”.

Made famous by former US President, Ronald Reagan, this quote was applied to situations where another party possesses the capability to do harm but agrees to refrain, for the greater good. Trust they will act appropriately, but maintain diligence to validate.

In the information security world, we too can strike the balance of security and functionality by allowing end users access to do their work effectively, while maintaining verification controls to insure they are not causing themselves or others unacceptable harm. This is no substitute to good training, security awareness, security tools, etc. as part of preventing undesirable events. But detection capabilities are a key element to a good defense in depth security program, which can allow more of a tradeoff between risk and productivity.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Information Security Defense In Depth Whitepaper is Now Available

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

Deconstructing Cyber Security Attacks - Threat Model

Defense in Depth Information Security Strategy

Want to get serious about Information Security? It is time for a Defense in Depth strategy. Interlocking Prediction, Prevention, Detection, and Response capabilities is the key. As no single solution provides comprehensive security, the way to achieve optimal security bliss is to apply a Defense in Depth approach of complementing capabilities to protect your computing environment and the data within. This strategy is highly effective at providing security assurance, cost efficient, scalable to large organizations, adaptive to changing threats, and proven to work.

The concept is straightforward. Establish a system of capabilities and services which align to attackers, their objectives and the methods they are most likely to attempt. Couple this with an understanding they will succeed sometimes and embed the fact at every turn there exist a learning opportunity to improve the system.

!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10702-1127/DefenseinDepth.JPG!

Prediction:

Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.

Prediction:

Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.

Prevention:

This is where the magic happens. Preventing or deterring attacks is where everyone wants to be. Given the insights of Prediction, which includes incorporation of industry best-known-methods, you can put forth a front line of defense representing the bulk of your cost efficiency. The purpose is to render ineffective the most likely methods the attackers will employ and deny the attacker's their objectives.

Prevention can take many forms, both technical and behavioral. Here are some examples, but don't take this as a complete list or even a recommendation, as selecting the right prevention solutions is specific to the environment and organization. Policy, security awareness, web proxies, and email filters are examples intersecting people based attacks. Computing systems can be protected with anti-virus, system hardening, compartmentalization, authorization and authentication controls, host firewalls, and timely patching to name a few. Communication network attacks are prevented mostly with high speed automated technical solutions such as firewalls, proxies, as well as secure device configurations and a good network architecture plan.

At its best, a solid prevention plan will eliminate threat agent's easy attacks and protect those critical assets most sought by the attackers. Doing a good job here translates into the biggest bang for the security buck.

"Two types of victims exist: Those with something of value and those who are easy targets. Therefore, don't be an easy target and protect your valuables."

Detection and Monitoring: ( ...when the security drums fail - video)

Unfortunately, at some point a number of attacks will succeed. Although it is most efficient to deter or prevent attacks, ignoring those that do get through the front line defenses is ill advised. Security incidents and intruders must be promptly identified, cornered and squashed like bugs. The first step is the ability to rapidly ascertain when the Prevention defenses have been breached and track the actions of the buggers. Detection and monitoring capabilities sound the alarms and direct the Response resources to the source. Speed and accuracy is most important in detection. However, it must be designed to look in the right areas as it is cost prohibitive to watch everything. Again, Prediction can play a role in deciding what to watch as well as how to monitor.

Response & Recovery:

How an organization responds to successful attacks will have a great determination on what residual losses are finally realized. When an event occurs, having the right processes, people, tools, and capabilities in place to contain the security event is critical. Time is on the side of the attacker. The goal of the security professional is to eradicate the security problem and restore the environment to normal operations. This may range from minor efforts to catastrophic recovery. The earlier the Detection capabilities alert the organization, the easier it is to corral the issues and recover. The savviest attackers are stealthy. They want plenty of time working on achieving their objectives and they dig deep like an infected tick. The longer they have inside, the more damage they can cause and become progressively more difficult to eradicate.

Don't be caught without proper Response and Recovery capabilities. Inability to restore the organization to a safe and normal state, translates to hemorrhaging money, time, resources, productivity, and maybe worse.

Continuous Improvement:

Information security is a continuous process. Key learning's from every event can improve individual areas as well as feed the Prediction services, thus giving a better understanding for the next time around. Defense in Depth can successfully be managed centrally or in a distributive model, as long at the overall strategy remains intact and interactions drive continuous improvements.

If you are ready to take the Defense in Depth plunge, you will be rewarded. Interlocking your strategy in a coherent manner gives better insights to reach and maintain your optimal level of security.

The Problem of Measuring Information Security

Getting a Return on IT Security Investment

Information Security Defense In Depth Whitepaper is Now Available