Nick the Barber and information security

If you pass by Nick’s Barber Shop in Clifton, NJ, you will see this sign. Nick understands his talents and the repercussions for those who do not avail themselves of his talents.

It’s easy for Nick’s customers to determine the quality of his work, as the results are obvious once his work is done. Based upon the confidence communicated within Nick’s very eloquently written sign in the window of his shop, it is a safe bet that he has many satisfied customers.

In the world of information security, those charged with security operations, support functions and/or management probably wouldn’t appreciate or even fully understand the “hard line” associated with Nick and his message to potential customers.

It is indeed a challenge to measure the quality of work that has been performed in support of preserving and protecting information assets. Some of the many questions include:

• How does one determine what needs to be in place?
• How effective are the proposed safeguards and security measures once they are in place?
• Does the fact that safeguards and countermeasures are in place equate to sufficient security for the assets?

Unlike the immediate qualitative feedback provided by observing a new haircut (or lack thereof, in the case of a bad one), measuring the quality of one’s information assurance program and related controls is not an exact science.

The challenge is that many security groups have had to deal with an increasing caseload of increasingly complex projects, with less staff and budget — all the while with management expecting security to do more with less.

With those thoughts in mind, the following are some of our general observations and questions about Information Security which should help you make the right security decisions, rather than just carrying out security theatre. Or as Nick might say, make the right cut.

Observation #1 — Bad security incidents don’t happen to organizations with a good security infrastructure.

Of course, this is not an absolute. But if you look at circumstances surrounding major breaches, penetrations and the like, more often than not, they are within firms that did not have effective and formalized controls in place.

Effective information security is built on risk management, good business practices and project management. Organizations that have taken the time and effort to ensure those items are in place will invariably have better security.

Organizations that take security seriously, and put the people, processes and technologies in place to facilitate that, are much less likely to be at the receiving end of a serious security breach. They are also usually in a much better position to effectively and quickly respond to a breach should one occur.

Question #1 —What is your information security budget?

There is no magic number what your specific budget should be. According to The Hitchhiker’s Guide to the Galaxy, The Answer to the Ultimate Question of Life, the Universe and Everything is 42. But the initial answer to almost every information security question is, it depends. These dependencies are based on numerous factors; and each factor must be considered and calculated before an accurate solution can be ascertained.

Security budgets have numerous inputs, just a few of them being: industry, risk, geographic location, customer expectations, amount/types of applications supported, infrastructure complexity, amount of staff outsourced, amount of business outsourced, and more.

Firms that don’t have adequate budget for information security are setting themselves up for failure. Firms that have created the adequate budgets pragmatically realize that information security expenditures does not cost, it pays dividends for the initial investments made.

The ultimate goal is to make your security budget and everything around it like a custom-fit suit. It costs more in the beginning, but ultimately provides a much better fit and look in the long run.

Observation #2—The cost of security hardware and software purchased has no direct effect on the level of security that you will have.

It’s not how much you spend; but rather how judiciously you spend, and what it is spent on. Spending $750,000 on a few hundred IDS sensors without someone behind the SIEM console yields marginal rewards.

We have found that organizations that have performed formal risk assessments, detailing what their specific risk matrix is, may spend less on security products, more on good security people, and have a much more effective level of security controls in place.

Question #2 —What is your information security staff size?

Once again, there is no magic number as to how large your security staff should be. The main point is that there is adequate staff to deal with the entire lifecycle of information security. There are many ways to organize staff. A simple three-part division — divided into roughly the following areas: policy/process, reactive and proactive — is often a good approach to take. Of equal importance is the chain-of-command reporting structure, taking special care to ensure a distinct separation of duties is ensured for those activities that require it.

As to specific numbers, reports such as IT Metrics: Office of the CIO Staffing Report, 2010 from Gartner can be used to determine a very rough range. But the best firms use such reports only as a secondary source, instead using their own primary research to determine the specific dollar amount that they should spend.

Policy and process staff members work on creating and implementing the strategies and procedures needed to make information security work. Having staff work on a strategy-focused

approach feeds into the operations groups that facilitate the ability to proactively address risk.

Reactive staff works on day-to-day activities, including system administration, firewalls, IDS, logging, change control, patching, working with auditors, etc.

Proactive staff works to ensure that new technologies, regulations and other compliance issues are dealt with, new product testing, etc., in which to ensure future growth.

Question #3—How many open source tools have you customized?

Observation #3—Firms that customize open source security tools have a more effective security infrastructure.

This question and subsequent observation go together. A problem many firms experience is that executives regard the commercial security products they purchase as pixie dust. They expect to put the appliance in the rack and that their security problems will magically go away once the appliance boots. In addition, there are those who have a philosophical issue with utilizing open source systems.

Open source tools that need to be configured and compiled take more of a custom engineering approach to solving a problem. They can’t be instantly downloaded and installed. Those that take an engineering approach will inevitability have better success in dealing with information security than those who don’t.

The fact that something needs to be customized generally indicates that those doing the customization understand the problem, and how to customize the tool to fix that problem. In line with observation #1, firms that use customized open source tools will spend significantly less on these tools, and often routinely achieve a higher level of security.

Speaking of engineering and strategy, two good books that should be on everyone’s reading list are Security Engineering: A Guide to Building Dependable Distributed Systems and the new Security Strategy: From Requirements to Reality.

Observation #4—Security abhors a vacuum and works best in a framework

Someone once stated that the great thing about frameworks is that there is usually more than one. Depending upon a specific organizational or business mission, there can be myriad recommended security frameworks to be embraced. Many have much in the sense of common core content; however, there can often be distinctly different opinions on how to implement the specified recommendations.

There are a number of good security frameworks on which to build your security foundation. The main benefit of a good framework is that it makes the integration of new technologies, process and regulations relatively seamless. Those firms that lack a framework will often have to repeatedly redo the same process.

A framework encompasses the assumptions, concepts, risk values, and security practices underlying an organization’s information security infrastructure.

Frameworks are needed now more than ever because today’s enterprise security projects are likely to be more complex than those of years past. Frameworks enable organizations to demonstrate compliance across geographically and functionally diverse sets of business units. And adherence to a recognized security framework can bolster your case that you are in compliance with sweeping and often vaguely defined new laws and regulations.

As to which framework to use, it depends on needs, industry, etc. The question is not ISO 2700x vs. CoBIT, ITIL vs. OECD or BITS vs. ISSAF, OSTMM vs. OWASP; rather, which works best and best supports your organization. [Editor’s note: Also see CSOonline’s examination of four key IT risk assessment frameworks.]

Observation #5—Someone has to stop the security buck

It’s irrelevant whether you call this person a CISO, CSO, BISO, CxO; unless someone is responsible for providing oversight and accountability for information security, it will not occur. To be successful, this role requires an individual with strong business savvy and security knowledge, someone who can oversee security planning, implement policies and select measures appropriate to business requirements.

A perfect fit for this spot is someone with a deep understanding of technology, combined with an understanding of the organization’s function, politics and business drivers. We have found that electrical engineers who also have an MBA are perfect candidates.

In the end, if there is no one to stop the security buck, there is no security.

Conclusions

There is a belief that information security is rocket science. While encryption internals are built on complex mathematics and number theory, most of information security is not like that. Effective security requires not a PhD but rather attention to detail, good design, combined with good project management and documentation.

Ultimately, it comes down to the fact that if you have information security problems, you have no one to blame but yourself.

David Mundhenk, CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.