Information Security Principles

JP's Security Principles

I firmly believe in the following Security Principles:

  • 100% security is impossible.
  • 99% security may be possible, but is too expensive in terms of effort, money, time and productivity.
  • The goal is reasonable and adequate security with reasonable and sustainable effort. How you define "reasonable" depends on the value of the information you are protecting. It is not reasonable to spend $10,000 to protect $5,000 worth of information. You need to understand what you are protecting, and the realistic threats you are facing.
  • Security through obscurity is no security at all.
  • The best Security is provided by a defense in depth:
    • Prevention
      • Hardening
      • Least Privilege
      • Separation of duties
      • Strong, published, security policies, with End User awareness
      • Strong change management policies and procedures
    • Protection
      • Firewalls, etc.
      • Anti-Virus & Active Content filtering
      • BCP/DR (Business Continuity Planning/Disaster Recovery)
      • Strong authentication methods (especially for Remote Access)
    • Detection (and Assessment)
      • Monitoring (logs/network/everything), IDS, etc.
      • Security/vulnerability assessments
      • Compliance audits
    • Response (and Correction)
      • CIRT (Computer Incident Response Team)
      • Correct environment based on incidents, assessments, audits and changed circumstances
      • Update policies, procedures and guidelines based on incidents, assessments, audits and changed circumstances
  • Security is a never-ending circular process, there are no silver bullets, and it is fundamentally not a technical problem that may be "solved" with point products.

Some frequently misused or misunderstood terms:

Policy, et al.

Policy
A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. They should not be technology specific, and they should change rarely.
Standard
Mandatory activities, actions, rules and regulations designed to provide policies with the support structure and specific directions they require to be meaningful and effective. They are often expensive to administer and should be used judiciously. Standards may or may not be technology specific and may or may not change frequently.
Standard
Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. (Source: ISO; http://www.iso.ch/iso/en/aboutiso/introduction/index.html)
Guideline
More general statements designed to achieve the policy's objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations. Guidelines may change more often than policy's, but less often than procedures.
Procedure
Spell out the specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment. These are often step-by-step instructions, and are usually technology (e.g. OS) specific. They may change often, as new technologies are introduced.

The source of the above definitions, except as noted is, Information Security Policies and Procedures: A Practitioner's Reference, by Thomas R. Peltier, with additions relating to frequency of changes by me.

Evaluation of your Environment

Penetration Test
A covert evaluation of or attack on the environment, specifically looking for security vulnerabilities to exploit, and often stopping at the first successful penetration. In my view, penetration tests are not worth the time or money, with very limited exceptions. If the attackers are skilled enough, and take long enough, a P-Test will always succeed. So what does that prove? That you hired someone smart enough to break into your network-or perhaps you failed to hire someone smart enough. Either way, of what value is that? None.
Assessment
An overt evaluation of the environment to determine "where you are" and "what you have." In this context, the focus is generally on security, and network architecture, but you can (and in fact should) assess your environment for other reasons and with other focuses. In order to plan for the future, you must know where you are. You can then determine where you need/want to be, and finally plan how to get there.
Audit
An evaluation to determine if and how well you are in compliance with an existing set of documented policies/procedures/guidelines/standards/best practices.

DMZ

DMZ
Demilitarized Zone, as in the military usage. This was originally the (sub) network outside your firewall, but inside your ISP router. However, the term has been misunderstood and misapplied to the point where it is now meaningless. Depending on the background of the user, it can mean the network as described above, the network in the middle of a "firewall sandwich," or the network(s) on a three (or more) legged firewall. Thus, I prefer the term "service network" for the network on which Internet accessible services are hosted (which hopefully is the third leg or between two firewalls). And I prefer the term "moat network" for the network outside the firewall, but inside the ISP router, which in itself may provide a layer of protection via access control lists, etc.

CIA

Confidentiality
Information is only accessible by those people or processes authorized to use it.
Integrity
Information is changed only in authorized ways, by people or processes authorized to make the changes.
Availability
Information is available to those people or processes authorized to use it, when it is needed.