It’s not about the technology. It’s not about the latest firewall or encryption tool. It’s not even about the daily flood of vulnerabilities and patches.
Effectively protecting a network, and ultimately the company’s health and welfare, comes down to one thing — the philosophy of security.
That’s what Kevin Day, a security engineer, entrepreneur and author, is trying to get across to people in both his consulting business and now in his new book, ‘Inside the Security Mind — Making the Tough Decisions’. Day says that successfully securing a network is not dictated by budgets and buying cutting-edge technology. Day, who has been a consultant with and co-founder of Relational Security Corp., says it’s more intimately tied to fostering a `security mind’ and weighing everything — every single thing — the company does against a set of rules and questions.
It’s all about the philosophy, stupid.
Q: How are companies doing? Are they, in general, any safer now than they were two years ago, five years ago?
Yes, companies are somewhat safer. The biggest thing that has come about is that we’ve conquered the idea that security isn’t a question. Before, people were wondering if they really needed a firewall. Were there really hackers out there? The problem we’re dealing with now is the maturity level of corporate ideas on how to deal with security. We have products — firewalls, authentication, identification — and the IT budget is going directly to products and less to a more corporate understanding of security. That will be our next hurdle. We’re more secure because we recognize the problem. But we still have companies being broken into left and right.
Q: In your book, you talk about the ‘security mind’. What is that?
There are a number of trigger events that make people think they need security. You have to get beyond those triggers. The idea of the security mind is a philosophy — how to recognize when you need security, and the fundamental concepts of how security should be applied. It will teach you how to recognize security in everything and not just in these individual trigger events. For example, you’re called into a hospital as a consultant because they’ve got a new WAN link they want to secure. They didn’t see that they needed to secure the information itself.
Q: How can we change our thinking?
It comes down to an essential series of rules. Take any situation and run it by eight concepts that I go over in my book. Give each a little consideration. It should be enough to make sure you’re thinking about security in the right ways.
Q: Give me an example of a few rules.
The rule of least privilege — When we allow access to something, are we allowing access to only those people who need it and under the context that they need it? Take exactly what access needs to happen and limit it directly to that. Assume that any other access is going to have an exploit around it.
Another example is the rule of the Weakest Link. Look at security from the standpoint that your worst point of security is representative of your security overall. We’re putting in 128-bit encryption and plugging holes, but we’re allowing someone to dial up from home. When you hear of break-ins, they happen through these little holes. Every time you degrade it a little bit, you degrade all your security.
Q: So what is the philosophy of security?
The average person in IT has been trained to see security as technology and solutions. It gives us a warm fuzzy feeling — something to focus on and embrace. When you’re talking about 50 technologies and 100 solutions, you can’t breath because there’s so much going on. That causes havoc and it forces people to struggle to keep their heads out of water. If you make it a part of your daily thought process, you dont have to struggle to keep up.
Q: In your book, you say, “Security can be accomplished without having to know every vulnerability’. Right now, IT and security managers are struggling to keep up with vulnerabilities and patches. How can you say that’s not important?
Security can be accomplished without focusing on the details. Every day there’s at least one new patch. IT managers don’t have time to breath. I’m not saying forget about security patches, but I am saying the focus needs to be on how are we applying patches in general. If you list 20 patches and decide to apply this and this because it’s more critical, you’ll be doing that a thousand times a day. You need a philosophy of how we are to manage patches. Say Microsoft has an exploit in SQL server. Companies are so trained to say we need to get this patched, that they don’t recognize the idea that they may not need SQL server on that system. Or if we need it on the system, we don’t need to allow external access to it.
Q: You also talk about IT managers needing to make the tough decisions. What kind of decisions are you referring to?
There are tough decisions all the time in terms of access, partner connections, allowing home users, installing new applications and making them available online. The decisions are becoming tougher to make. It actually makes a lot of people think of giving up on security. How do we make them? The first key is to recognize the security issues involved in every decision. That goes back to the philosophy. If you go into it with a philosophy, then you see security within the everyday decisions. It teaches you how to integrate this into your overall corporate philosophy with your users and managers, and you can create a security culture.
Q: It sounds like you’re talking about the Zen of Security Maintenance.
We’ve been so inundated that we’ve lost the higher mind. It’s driving people crazy. You have to train your mind to think about security and not get lost in the technology.