Recently in Essential Truths Category

Unfortunately, I have not had much time to read lately. The only time I really get to see a book is just before bed and then I usually don't read more than a few pages. Because of this, I was a little skeptical to take on two new titles: the new school of information security and Into the Breach. The latter one is at the top of my current reading stack for a number of reasons. First of all, Michael handed it to me personally at Defcon. Secondly, because it has much less pages, and the chances that I actually finish the book are somewhat greater.

Having said that, I just finished part 2 of the book and my opinion of the book is already a very positive one. Santarcangelo captures the true essence of modern information security: information exists to serve users, and users just want to get the job done. Most people are truly willing to do the right thing, but they need to be enabled and empowered to do so.

When a person is confronted with having to chose between finishing the job in a timely enough fashion for senior management to proceed, versus full and unquestioning compliance with information security controls that might prevent him from getting the job done, it is clear what that choice will be.

Just realizing that is paramount.

Information security must never get in the way of doing business.

And yes, that implies that an information security officer must actually know what the business is all about and how it is conducted.

Essential truth: Never say No.

Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

1. Have control over your systems.
2. Check your security frequently.
3. Educate all your people.
   

This is an excellent summary.

As an information security professional, everything you do has to lead to one thing only: confidence in information.

In order to achieve this, it is of paramount importance to have excellent working relationships with the people who actual use the information in your organization (the users) and also with the owners of that information. More often than not, primary users of information are also considered the owners of that information.

Having a separation between information owners, information custodians, and an information security role is a good thing. It will allow the owners to worry about the quality of the information (including risks that might affect that quality), the custodians to look after the data within the requirements set by the owner, and the security role to ensure that the owners know what level of protection they should require, and for helping the custodians do a good job (see: "Security", whose responsibility).

Scott Wright has a good post over at Security Views. The essence of the post is

"Keep information about your systems simple, neat, documented, and secure."

Especially during an emergency, the last thing you want to have to worry about is where you filed your incident response plan, your contact list, IP plan, etc. Good stuff. Go read it and be enlightened.

This might have to become an Essential Truth!

The essential truth that dictates most of my working day is better is worse than good enough.I had become aware of this phrase back in my college days, when one of my professors used it often; usually in the context of some form of process modeling or data modeling exercise.

The real value of this phrase is in understanding what you need and what you do not need. Implementing unnecessary controls is bad; try to become better is worse than accepting a situation that is good enough.

This post's title hardly needs any clarification, and I'll try to keep this post brief. As information security professionals, we generally play a defensive role. Very few of us are given the opportunity and the means to play the game as an attacker. Those of us who do generally enjoy it tremendously and learn a great deal from it.

Being a defender is hard; after all, as a defender you need to anticipate all possible attack vectors that an attacker might deploy against you.

An attacker, on the other hand, can take the time to do reconnaissance, scan our environment, and analyze his findings. Our defenses are visible before they are put in play, an attack is not. Then, based on the analysis, the attacker can focus his attack on what he identified to be the weakest spot in our defensive controls.

As a result, we need to strive to implement our controls (preventive, detective and corrective) as effectively as we can: we must execute with precision and excellence.

The same is true for incident response. Once an incident has been declared, we need to ensure that our containment and eradication efforts do not make the situation worse than it already is, and we need to do so quickly.

We again need to execute with precision and excellence.

If there ever is a place for perfectionists, it is in designing a defensive position.

The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality.

Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so.

When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself.

Another post from the train. This time I am on my way from Utrecht to Leiden. Leiden is one of the oldest cities in the Netherlands, and proudly houses one of the most well-known universities in the country.

Very often, information security professionals are extreme perfectionists. The nature of our work requires us to be that. Defending against an unknown threat means that we have to be ready for any attack; missing one element or implementing one control in a vulnerable way will expose us to risk that eventually will manifest itself.

However, we also need to realize that perfection is not expected from us. Moreover, one might say that the organizations we work for expect that we will not be perfect. Obtaining a high level of assurance that we will not be faced with an attack is extremely costly, and might be more expensive than the organization is willing to pay. After all, if the cost of protection out ways the potential loss, most business will choose not to protect.

Perception is reality.

For the last few days, I have been thinking about doing a series of blog posts around the theme Essential Truths in  Information Security. In these posts, I will discuss a number of lessons that I learned while working in information security.

Today's truth is: Understand what you protect. For an information security professional to be successful, just understanding how to protect a resource is not enough. A deeper understanding of your organization's assets is at least as import: what are the resources that you are trying to protect? How important are those resources to the organization? What kind of controls are appropriate?