Kevin Beaver's Security Blog

Revisiting an article on the security basics I wrote over two decades ago

This article is from 2004. Tell me what has changed or is outdated…Perhaps my reference to “SSL” VPNs or “anti-virus” software? 😉

Information security isn’t what it’s cracked up to be these days.  Sure, there are vendors out there pushing faster, better, cheaper security products.  And, we have all these new fancy systems to protect our digital assets like SSL VPNs, email and wireless LAN firewalls, intellectual property “leakage” appliances (otherwise known as content filtering systems), and more.  The problem is that we can’t see the forest for the trees.

We’re applying so-called secure defenses on top of business processes that lack a stable foundation and employees that lack even the most basic knowledge of security.  Many security safeguards are put in place just for the sake of thinking our systems are secure without actually thinking things through.  I see security dollars being spent unwisely over and over again.

What will it take for to figure out what really makes information “secure”?  With all the money invested in the hopes of achieving some semblance of security, malware attacks are still disabling entire networks; websites are still getting defaced; credit card databases are still getting broken into; and wireless LANs are still being deployed without the least bit of real security in place.  You get the point. 

I think it’s time to get back to the basics and focus on keeping things practical.  You’ve got to think long and hard about whether or not you’d be better off saving the time, effort, and elbow grease required to implement and manage all the “necessary” security  technologies that are constantly being pushed down our throats and get down to what really counts. We’ve got to stop adding on all the knee-jerk layers of protection that do nothing more than increase our own false sense of security.  Does this mean you should unplug your firewall?  No.  Get rid of your anti-virus software?  Absolutely not!  Stop patching your software?  Don’t even think about it.  Not change default settings to harden new systems from attack?  You’re kidding, right?

After you have all the basics down – firewalls, anti-virus, and patching, not to mention people and processes – you should focus on one thing more than any other.  This one thing will require a decent budget and some of the most experienced people you can hire.  This one critical component that is so often overlooked and not taken seriously is an incident response plan.  I’m talking about developing a plan and knowing it like the back of your hand. 

Your incident response plan has got to focus on the essential areas including what constitutes an incident, who will be on the team, how incidents will be contained and recovered from, who will be called in for formal investigation, what tools that will be used, and how evidence will be handled.  Oh, and test it like you’ve never tested anything before.  That’s the only way you and your team will learn, be prepared, and find any flaws that can cause trouble down the road. 

You absolutely cannot rely solely on your security technologies – or your policies for that matter – to protect your information.   When it comes to computers, the bad guys are usually at least a couple of steps ahead of us and seem to always be able to come up with new ways to attack our systems.  Thinking you can prevent every type of security breach in your organization is the same as believing that the police will always be there to protect you when harm comes your way.  It’s basically impossible to protect against something that has never happened before so you’ve got to be prepared to respond. 

You can’t try to make critical decisions during and immediately after a security breach.  An incident response plan is your insurance policy and your guide.  It’s your only reliable solution to effective information security.  I think the growing popularity of the computer forensics field is the proof in the proverbial pudding.  Develop, test, and maintain your incident response plan like it’s your saving grace.  It will be someday. 

You’re free to choose how you manage information security in your organization.  After all, it’s an election year here in the U.S., so freedom over security is very fitting these days, right?  You’ve got keep things simple, be wary of the marketing machine, and more than anything else, be prepared to respond to the inevitable security breaches heading your way.  Oh, and pardon my negativity – I’m just feeling insecure about security.