This post appeared on the Rackspace Blog last week and I copied it here so that readers of this blog will see it.
You’ve heard it before: information security isn’t easy. There’s no perfect security policy or piece of technology that will protect your business from all attacks. However, security is a process and processes can always be improved.
Last month, the great folks at Accruent invited me to talk about this topic at the annual Accruent Insights 2014 conference held in Austin, Texas. Their users wanted to know more about the Target breach and the Heartbleed attack, as well as strategies for strengthening their security safeguards against unknown threats.
To understand these threats, it’s important to have a good grasp of the basic concepts around information security. Businesses don’t exist to be secure; they exist to build innovative products, create relationships with customers and provide a great work environment for their employees. Security must be woven into the processes that drive a business forward. There’s no finish line for security and it’s rarely successful when it’s bolted on as an afterthought.
Donald Rumsfeld delivered an unexpectedly cohesive summary of modern information security back in 2002 when reporters asked him about the lack of evidence surrounding Iraq and weapons of mass destruction:
Reports that say there’s - that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.
-Donald Rumsfeld, United States Secretary of Defense
Rumsfeld probably didn’t know it at the time, but he summarized the challenges of information security in a few sentences. There are things we know will be problematic (a known known) and we must fix them or prepare ourselves for the damage they may cause. There are other things that we don’t know enough about (a known unknown) and we must learn more about them. The last group, the unknown unknowns, is the most challenging. If you’re looking for a good example of these, just examine the Heartbleed attack.
Dealing with all of these attacks requires a multi-layer approach: preventative, detective and corrective.
The preventative layer reduces your chances of being breached. If you lock your doors or close your blinds when you leave your home, then you already understand the value of the preventative layer. Making the attacker’s job more difficult reduces the chance that they will target you. Let’s face it: most attackers are looking for an easy target. Going after a hard target means there’s a greater risk of getting caught.
However, there are situations where someone has targeted your business individually, and they will do whatever it takes to get what they want. It’s critical to detect that activity as soon as it occurs. At home, we set our security alarms and join neighborhood watch programs. These measures will alert us to attacks that make it through our preventative layers. Businesses might use intrusion detection systems or log monitoring solutions in their defensive layer.
When all else fails, the corrective layer is the last line of defense. This layer consists of the things you must do to remove a threat and return everything back to normal. For property owners, examples of the corrective layer include calling the police, purchasing homeowner’s insurance or acquiring firearms. These mechanisms are much more costly, and they require thought before they’re used.
Each layer gives you a feedback loop for the previous layers. For example, if someone breaks in through a window and takes your TV, you may invest in better detective layers (like an alarm system with a glass break sensor) or preventative layers (like thorny bushes in front of your windows).
If these layers make sense, then you understand defense in depth and risk management. Defense in depth requires you to assume the worst and build more layers of defense (think about castles). Risk management involves identifying and avoiding risk. If you have heirloom jewelry at home, you might place it in fire safe. You’ve just practiced defense in depth (the jewelry is in a locked safe in a locked house) and risk management (there’s a high impact to you if the jewelry is stolen and you reduced the risk).
In summary, good security practice stems from exactly that: practice security each day and make it part of your normal business processes. Security improvements must be made with changes to people, process and technology. The businesses that truly excel in information security are those that insulate themselves from risk-internal and external-with effective preventative, detective and corrective layers.
If you’d like to review the presentation slides from the Accruent Insights conference, you can find them on SlideShare.
I’m always trying to get better at presenting so please feel free to send me some constructive criticism. ;)