Who defines best practice? In the UK, the DTI
(Department for Trade and Industry) is trying to take a lead by
defining what best practice for information security
is.
The BS7799 standard for information security went some way to
defining best practice but it did not do so directly by naming
technologies that you should deploy. Instead, it outlined
higher-level requirements which were then interpreted by security
professionals into the actual solutions we see implemented today.
The standard continues to evolve and is now International. I
believe ISO 17799 will continue to feature more in business in the
future than it does today.
Best practice represents what sensible businesses should be
doing to address known security issues. If you connect to the
Internet and want to protect your systems from attack then you
install a firewall. There is no law forcing you to do so but your
ISP advises it, the operating system vendors advise it. If you are
a government department, the Communications Electronics Security
Group (CESG) will ensure that you do this – it is simply ‘best
practice’ to do so.
Best practice has long promoted the age-old industry saying of
‘defence in depth’ meaning to have a layered security solution.
This type of implementation typically means that if your
organisation has a firewall protecting attacks coming in from the
Internet, it will also apply rules to the router outside of the
firewall as another layer of defence should the firewall fail or be
compromised.
Some organisations have two firewalls, each from a different
vendor, just in case a weakness is found in a particular solution.
This way the second firewall protects the business against such
vulnerabilities by.
Security layers
Currently, there is a push towards incorporating as much
security into products, operating systems and software packages as
possible but I think in doing this, the vendors are not altogether
embracing the customers’ requirements.
From a best practice perspective it does not make sense to have
operating-system embedded security solutions such as firewalls,
intrusion detection systems or anti-virus solutions. It has always
been considered acceptable that the vendors of such dedicated
security solutions are major players in the policing of the
operating system, hardware and software vendor vulnerabilities.
As such, the vendors can impartially announce and protect users
against such vulnerabilities as they are detected. This
independence would disappear if these security solutions came from
the same source as the operating systems they are designed to
protect. I think it is also less likely that there would be
internal collusion to create ‘known back-doors’.
Best practice implies defence in depth and so another ‘layer’ of
security provided by the operating system, providing it can
co-exist with the dedicated solutions, is not a bad thing. However,
operating system vendors clearly need to concentrate on writing
code securely and not patching up the insecure code with ‘acquired’
security solutions.
It is also a concern whether the vendors of these new operating
systems, complete with security technology, could support
multi-platform solutions. We have seen recently the trouble that
comes with operating system vendors bundling software and so if one
thing should be kept separate from operating systems, let it be
security.
Companies of difference sizes will face different challenges.
Larger businesses should be concentrating on security
infrastructure, layers work and allowing for a segregation of roles
that will secure human administration weaknesses. Smaller to medium
sized businesses generally speaking are typically doing ‘just
enough’ in terms of security but with a number of changes to
regulation and legislation scheduled for 2006 that may leave them
short. As many of the larger corporations ‘step-up’ their security,
there could be a security technology gulf between them and the
smaller businesses, many of whom are indeed suppliers to the larger
companies.
Outsourcing and third-party resilience are rapidly being seen as
recognised risks to the business. With such practices you can be
secure but what about those who you rely upon? And as such, there
will be increasing demands on business to show other businesses how
secure and resilient they are.
The landscape in terms of security for the next 18 months is
starting to appear already. Laws will change; regulation will
toughen. In order to justify its demands, the information security
industry will shift from being reliant upon folklore, fear
uncertainty and doubt, to being a more measured and predictable
environment. Risk will be calculated, previous incidents referred
to and security will be provided where it is most required and to
the level that it is required. Knee-jerk, point solutions and
assumption-based methods will no longer cut it.
Top 5 email-borne virus and spam groups
stopped by scanners in November 2005
Netsky: 28.27%
Phishing: 27.59%
Mytob: 18.52%
Sober: 11.22%
Bagle: 5.67%
Source: SoftScan
www.softscan.co.uk
Phil Cracknell, FBCS, CISSP
CTO of netSurity Ltd
Phil is an information security specialist with 20 years
experience. Former head of security for investment bank Nomura,
director of security for Scient Inc, and Principal consultant
responsible for the penetration testing team at Zergo (Later to
become Baltimore)
netSurity is an information security and risk R&D house,
focusing strongly on client needs and existing problems in the
industry