Security

Has security grown beyond DIY?

On Friday, I discussed Joshua Corman's contention that "there is no perimeter," and my take on the phrase. That was only one of seven "dirty secrets" of the security industry he mentioned at Interop Las Vegas. Another is, he tells us, that security has grown beyond "do-it-yourself."

On Friday, I discussed Joshua Corman's contention that there is no perimeter, and my take on the phrase. That was only one of seven "dirty secrets" of the security industry that he mentioned at Interop Las Vegas. Another is, he tells us, that security has grown beyond "do-it-yourself."

Complexity and the vendor

The idea is that securing your information and other resources has become such a complex task that your business simply cannot do it alone. Security industry vendors would have you believe that the help you need is the security software they can provide. Send them a few thousand dollars, and they'll send you the key to securing your kingdom.

As IBM/ISS security strategist Corman pointed out, different businesses have different needs, and this makes the typical security vendor's "one size fits all solution" a less than ideal approach to protecting your resources. He suggested that "it's not enough to have the right tool. It needs to be installed and configured properly for the environment."

In translation, he said that you can't just buy the "one size fits all solution" and add it to the pile of precautions you use to protect your network -- you have to make sure it's properly deployed for your specific needs, too. Of course, even that is too simplistic. The truth is that "the right tool" usually isn't such a security vendor's solution at all.

His explanation implies that the correct way to handle things is to get yourself a "best practices" security tool, and get yourself a security consultant who will make sure you won't misuse it. You just don't know enough to take care of it on your own -- to do it yourself -- so you need an expert.

While you're getting an expert, though, you should get one that knows more than how to configure whatever security vendor's "one size fits all solution" got a full page ad in BusinessWeek. If you're going to retain the services of an expert, you need one with the right skills -- someone who can perform an effective network security assessment, someone who takes a principles-based approach to security rather than a tools-based approach, and someone who develops solutions to your problems rather than just buying a solution and selling it to everyone that comes along. There's something else your expert should be able to do, too.

Do it yourself

The best outside security professional is not the great and powerful Wizard of Oz, who knows all the secrets to your security needs and fixes them all for you. Security is not something that should be about getting things done for you to protect you from some nebulous "them" who threaten your resources. Instead, the best outside security professional for you is the one that helps you get and maintain control over your own resources, that helps you achieve independent security.

When you always have to rely on outside help to deal with security, your security is only as responsive, reliable, and trustworthy as the outside help. Requiring an outside security professional to understand how security works for you means adding more potential points of failure in your security. Every outsider you have to rely on is another potential flaw in your security. The best security is independent security.

That doesn't mean you shouldn't ever seek outside help. You can't reasonably be expected to write your own security software, put together all your own security solutions, and keep track of all the developments in the security state of the art, all at the same time that you run the rest of your business -- at least, not without running substantial risk of failure. You should, however, take charge of your own security solutions development.

The best outside security professional is the one that will help you get started, and will help you figure out how to take charge of your own security solution development in the future. Outside help can be valuable, both to help you get started and to help you keep abreast of changing needs and changing threats, but outside help -- whether it's a security consultant or a security vendor -- should never be the center of your efforts to secure yourself.

What do you do when someone develops an exploit for your security software? What do you do if your outside security professional gets hit by a bus?

You do it yourself, one way or another. Doing it yourself doesn't mean you can't get help. Just remember that the one person you can best rely on is yourself.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

14 comments
mikifinaz1
mikifinaz1

I have only one machine on the net which I nuke and pave weekly keeping the rest of my computers seperate. I keep it off between Internet sessions and run whatever generic free crap I can to keep it semi-clean.

tom
tom

I have supplied security solutions, mostly for the physical property like laptops, PC???s and servers, for ten years. I totally believe that to rely on a single source opens greater possibilities of creating a potential gap in security. Not only does every company have unique problem areas but often the different departments within the company have their own unique weak points. If your supplier isn???t recommending someone else???s solution every now and then they are there to move their product only and not to secure the information. As to DIY someone has to control the over all picture and you need to be the one doing that.

boxfiddler
boxfiddler

Not only do we need to be reminded on a regular basis that network [and home PC] security is a perpetually moving target, we need to be reminded that just as with everything else we purchase maintaining security is not accomplished by a 'one size fits all' approach. What fits me, does not likely fit anyone else. "Just remember that the one person you can best rely on is yourself."

apotheon
apotheon

You might call the thesis of this article [b]Do It Yourself . . . Eventually[/b]. Have you tried to be more independent in your security management? What successes have you had in making your security management more autonomous? What have you learned from your failures?

Sterling chip Camden
Sterling chip Camden

translation: "Sitting duck" solutions You always have to keep monitoring and upgrading security, because everything goes to hell when left to itself, and the bad guys don't stop looking for vulnerabilities. Great post, Chad.

Locrian_Lyric
Locrian_Lyric

One of the paradoxes of security is that things slip through the iron grip more easily than through the gentle hand. The problem many corporations create for themselves is that they have this "us vs them" mentality where the "them" includes their own employees. When security treats employees as the enemy, the employees will ACT like the enemy. At BEST the employees will treat security with apathy, at WORST they will sabatoge security either willingly or unwittingly. At one company I worked for, security was so agressive that the employees started evading them just to annoy them. Managers did nothing to prevent that because the managers got tired of hearing endless complaints about their employees. If someone forgot their badge, security treated them like an idiot, called their manger, made them wait for as long as a half hour for a temporary badge, and said in an impolite tone "BE SURE TO TURN THIS IN AT THE END OF THE DAY!" It wasn't long before people were sneaking each other in even if they didn't know the person because they knew what kind of grilling they'd get from security. The end result from the iron-fisted approach was a complex with security as effective as a sieve.

apotheon
apotheon

"[i]'Sitting duck' solutions[/i]" I think I'm going to have to use that phrase in the future. "[i]Great post, Chad.[/i]" . . . and thank you. This article was, in essence, an attempt to articulate a client's-eye view of my philosophy of business.

apotheon
apotheon

It sounds like that woman that wants GotoMyPC on the laptop shouldn't be allowed to take her work home with her at all. If she insists on having unsecured access to the laptop at work, I wouldn't think you'd want her taking the laptop out of the building, either -- so maybe she just shouldn't have a laptop. In fact, you might consider restricting her ability to use the network at all.

Timbo Zimbabwe
Timbo Zimbabwe

"When security treats employees as the enemy, the employees will ACT like the enemy." Sometimes they are. Take for instance the lady in my company who *expects* to have GotoMyPC on her laptop... because she doesn't want to have to carry the laptop home. This not only compromises propriatary company information by allowing it to transmit over 3rd party servers, but creates a HUGE hole in the security of our network. Act like a criminal and I will treat you like one; act responsibly and I will help you cut as many corners as policy will allow.

husserl
husserl

Shouldn't be any need for that attitude for sure, but no pass no entry. As for the data themselves, no need to know, no data. That clamps down on a lot of stuff.

bboyd
bboyd

Since the early days, user is always the weak link. An educated and caring user is also the strongest weapon you have in stopping most security intrusions. I have a literal life and death programming job. Industrial robots, they will toss you around in a half second if you put yourself in the wrong place. When we design a cell we try to have as much chance as possible to keep a bad user from being in that wrong place. Last week had a guy climb over a safety fence with a tool to try and correct one of his mistakes. We moved him to a different process. All just as I was stepping up to check and reset his error.

Sterling chip Camden
Sterling chip Camden

Featuring the slapstick security antics of the fine consultants at Sitting Duck Security Solutions, where our motto is "We Put The Quacks In Your Firewall".

husserl
husserl

Defence in depth is another phrase that I employ. Being an ex soldier and having worked in int & sy I suppose that I tend to be paranoid in all directions, and I also scour for new problems as well as new solutions. A friend of mine insisted he didn't need a soft firewall because his Cisco router was enough. I did a search on it and found there is an exploit. Trust no one or thing, not even yourself.

Editor's Picks