Information security — don’t let the apparent complexity intimidate you

I launched a new security-related service a few weeks ago. I spent many hours working on the website, including the service description, and what I thought was a good explanation about why people needed it. I then sent the Web link to my trusted inner circle. To my surprise, the nearly universal response from those I sent it to, including some very bright folks, was that they did not understand what it was. This was a humbling experience, and cause for reflection.

Those of us who spend most of our time immersed in the intricacies of information security are quite comfortable with the free use of terms like threat intelligence, defense-in-depth and forensics, much the same as two doctors would use specialized language when talking to each other (can you say heminephrectomy?).

With studies continuing to show poor adoption of basic information security practices by the small and medium business world, it occurs to me that those of us who call ourselves information security advisors may be doing these organizations a disservice, by making security sound so complex that they don’t even bother trying to achieve the basics. That is sad, given that basic practices are neither hard to understand, nor hard to implement.

For larger organizations, the effect may be just the opposite  These organizations, with more money than time, make large investments in expensive products with fancy names, assume those products have them covered, ignore the fundamentals, and suffer the almost inevitable breach.

Thus, here i’ll demystify some of the basic information security elements for the smaller organization, and remind the bigger ones of the aspects they cannot ignore, despite their large investment in tools.

The perimeter

Think of your security perimeter like you would the fence around your yard, the idea being to keep the bad guys out. Almost since the inception of modern information security, the firewall has been the fence of the security perimeter. The perimeter and the firewall have been a topic of much debate in the last couple of years, with many industry experts claiming that the perimeter no longer matters. With smartphones, VPN connections, etc, opening holes in what used to have a single point of entry, some feel it is a wasted effort.

In my opinion, and after much experience in the trenches of business information security, you need a good firewall, period. You need a strong product, and it needs to be configured properly (and not just taken out of the box and plugged in). True, a firewall is not perfect, and not as good protection as it was at one time, but it remains your first line of defense.

Insiders and identity management

Now that you have a basic perimeter defense, it is time to turn your attention to those folks intentionally inside your firewall — your employees and contractors. They can do more damage than anyone from the outside. In fact, in a recent interview with SC Magazine, Rashmi Knowles, RSA’s chief security architect, said that “people are the new perimeter.”  While I stand by my earlier comments about the perimeter and firewalls, there is no question about the importance of your own people in keeping the bad guys out, or as is more often the case, unwittingly letting the bad guys in.

You should start by making sure you don’t hire the bad guys in the first place. Background checks on employees, particularly those in IT and other critical areas, are key to this. A bad actor on the inside could quickly wreak havoc on your operation.

Since so many security breaches related to insiders result from their errors, your starting point with your team is awareness training. They need to understand what they must do to keep the organization safe, and what they must not do that would jeopardize it. In their most recent “Information Security Breach Survey” in the UK, PwC reported that when asked about their single worst breach, half of respondents indicated that they were caused by insider errors. There are many resources available on the Internet to help with this training, from video-based products, to free outlines. Train your employees, and keep training them.

Finally, in order to make sure you employees do not accidentally or intentionally cause you security issues, you need to control what they are able to see and do. Even if you trust them, make sure their privileges are only those required for them to do their jobs. Excessive privilege can lead to catastrophic errors, or support criminal acts.

Know and manage your risks

When I go to Home Depot without a list, I often end up forgetting some of the things I need, resulting in additional unplanned visits. This is somewhat analogous to your information assets — you cannot protect your assets unless you know what they are, and the value of each.

The risk assessment is quickly becoming the basic currency of regulatory compliance. Every major body of regulations requires a formal risk assessment. Even if you are not regulated, you probably are or will be providing services to a company that is, and given third-party requirements, you will need to face this sooner or later.

A risk assessment simply involves listing your assets, valuing them, and enumerating the risks to them. Focus on the most valuable, and work down the list from there, building a protection strategy. Your risk assessment process does not need to be extremely formal, but some structure is important. In my recent article, “The dreaded risk assessment,” I offered a simplified framework for conducting a risk assessment that will stand up to scrutiny.

The bottom line — the above is not an exhaustive list of things you need to pay attention to in order to keep your network and data safe, but if you properly address all three areas, your chance of making the news tomorrow as another security breach statistic is greatly reduced. So, don’t be intimidated by the terminology and complexity. Rather, dive in fearlessly, and take responsibility for protecting your assets.