Wednesday, September 12, 2012

The Best in Practice

If we are charged with designing, architecting, implementing, deploying, integrating, training and supporting security technology, processes and policies within our organization, we might discover that this work is really an art more than a science.

Anyone can go out and purchase a solution to provide anything from firewalls to antivirus.  Once those solutions are installed we might be tempted to sit back and be overwhelmed with a sense of security, knowing we've locked out all the potential intruders.  But I would caution anyone who might feel this way, and offer additional advice on how to best practice information security in your organization.

First of all, we can never be satisfied or comfortable with any one technology.  A firewall is simply a port-blocker.  If source-destination-allow-deny-port-whatever.  The firewall will either allow traffic on a port or block it.  If it's open, a standard firewall makes no further inquiry into the traffic - it's considered trusted at that point in your infrastructure.  

So if I allow inbound port 80 traffic to a web server, my firewall is basically opening the door from the Internet to my web server on that port.  All traffic is inspected - if it's knocking on the port-80 door it gets to come in, just like a visitor who knocks on my door - I just let them in.  I don't frisk them, I don't check their pockets, I don't ask them what they have in their bag or what intention they have.  I just let them walk right in.

The firewall does the exact same thing - so it might be "trusted" from the firewall's perspective however we must realize that "trusted" traffic through the firewall can also be malicious traffic.  Nothing says an attacker can't use port 80 to attack you - it happens all the time.  The point is that this isn't the job of the standard firewall - to determine if that traffic is malicious or not.  It is just a port-blocker - port 80 is open or closed.  That's all the firewall does.

When I give presentations to new hires at my organization, I ask them what information security is.  Many times someone will say - having a firewall.  The perception is that if you put a firewall in place, you're secure. That's as false as saying if I put a lock on my front door, no one can break in my house.  

What we must do is understand the function and purpose of our tools and solutions, understand the risks, and then fill in the blanks.  We must fully understand what a firewall is, what a firewall does and what it does not do, understand what sort of risks we are facing, then put other pieces in place to supplement that basic level of security - that front-line of protection.  We might implement an Intrusion Detection/Prevention solution to inspect the "trusted" traffic coming across port 80 into our network - the firewall's job is to allow it - malicious or not.  Then the IPS tries to determine if that "trusted" traffic is just web server traffic or a signature or behavior which indicates a high possibility that the traffic, while trusted, shouldn't be allowed.  Therefore the traffic will either be blocked and/or alerted on.

Once we get this holistic view of the threats and ways to protect our organization, the practice of information security goes all the way to the endpoints.  That is, we find ways to integrate all of our solutions into one organic concept.  Like layers of an onion, I don't look at my security infrastructure as 15 different pieces.  I look at it as a whole, a complex but interacting web of layers, each of which have a purpose in the big picture.  I might be able to see a botnet from my antivirus logs, my web filter logs, my intrusion detection logs - if I have everything set up correctly I will know about this sort of risky traffic, be able to respond in a timely manner and safely restrict or block that traffic without any disruptions.  

This is sort of an introductory piece - we can go so much deeper.  However I wanted to set the table properly - I would love comments on creative and effective ways you utilize your infrastructure to protect your organization.

2 comments:

Michael Peters said...

Great primer Randall. You mentioned adding layers to your security infrastructure which is prudent for certain. I tend to begin with governance; setting up policy and completing IT security risk assessments first. Next, for me, the technology comes in and enforces the strategy I've identified early on. Finally, vigilance in the testing, training, monitoring and remediation activities always upping my game as I learn new techniques, identify new threats, and continue to bolster my security program. For me, the center of that onion would be the critical business assets I protect in those layers. Thoughts?

Randall Frietzsche said...

Hi Michael!

Yes - great points. We must start with the governance layer - in my diagram of layers the governance layer is not an additional ring in the onion but the stem which goes from the center of the onion out through all the layers - that is, it is a virtual layer which touches every other part of the infrastructure.

I think of it like a building I want to secure - I can go and put some locks on the doors, maybe some smoke detectors, however if I haven't done that initial discovery, risk assessments, etc. - then I really don't know what sort of locks I need, how many, if there are other points of access that I don't know about, if I need to add a supplemental radon detection system... otherwise I'm just spending some money and putting in some controls without really doing it in a smart and effective way. Unfortunately this is more often the norm.

We have to put in that solid foundation which begins with the governance layer and is built from solid IT risk assessments we've done - then we're more prepared to be responsive to new risks like mobile devices - this is a train we can no longer derail - we just have to learn how to get up to speed with it, jump on that trail without breaking our necks, then learn how to steer it without letting it wreck our program. I'll be writing more about this soon as it's something which is currently a large initiative for my organization.

Thanks again for your comment - I look forward to more!