Viewpoint – best practice makes perfect

In the context of InfoSecurity is there such a thing as best practice? Phil Cracknell, FBCS, CISSP gives his opinion as to what it should entail

Who defines best practice? In the UK, the DTI (Department for Trade and Industry) is trying to take a lead by defining what best practice for information security is.

The BS7799 standard for information security went some way to defining best practice but it did not do so directly by naming technologies that you should deploy. Instead, it outlined higher-level requirements which were then interpreted by security professionals into the actual solutions we see implemented today. The standard continues to evolve and is now International. I believe ISO 17799 will continue to feature more in business in the future than it does today.

Best practice represents what sensible businesses should be doing to address known security issues. If you connect to the Internet and want to protect your systems from attack then you install a firewall. There is no law forcing you to do so but your ISP advises it, the operating system vendors advise it. If you are a government department, the Communications Electronics Security Group (CESG) will ensure that you do this – it is simply ‘best practice’ to do so.

Best practice has long promoted the age-old industry saying of ‘defence in depth’ meaning to have a layered security solution. This type of implementation typically means that if your organisation has a firewall protecting attacks coming in from the Internet, it will also apply rules to the router outside of the firewall as another layer of defence should the firewall fail or be compromised.

Some organisations have two firewalls, each from a different vendor, just in case a weakness is found in a particular solution. This way the second firewall protects the business against such vulnerabilities by.

Security layers

Currently, there is a push towards incorporating as much security into products, operating systems and software packages as possible but I think in doing this, the vendors are not altogether embracing the customers’ requirements.
From a best practice perspective it does not make sense to have operating-system embedded security solutions such as firewalls, intrusion detection systems or anti-virus solutions. It has always been considered acceptable that the vendors of such dedicated security solutions are major players in the policing of the operating system, hardware and software vendor vulnerabilities.

As such, the vendors can impartially announce and protect users against such vulnerabilities as they are detected. This independence would disappear if these security solutions came from the same source as the operating systems they are designed to protect. I think it is also less likely that there would be internal collusion to create ‘known back-doors’.

Best practice implies defence in depth and so another ‘layer’ of security provided by the operating system, providing it can co-exist with the dedicated solutions, is not a bad thing. However, operating system vendors clearly need to concentrate on writing code securely and not patching up the insecure code with ‘acquired’ security solutions.

It is also a concern whether the vendors of these new operating systems, complete with security technology, could support multi-platform solutions. We have seen recently the trouble that comes with operating system vendors bundling software and so if one thing should be kept separate from operating systems, let it be security.

Companies of difference sizes will face different challenges. Larger businesses should be concentrating on security infrastructure, layers work and allowing for a segregation of roles that will secure human administration weaknesses. Smaller to medium sized businesses generally speaking are typically doing ‘just enough’ in terms of security but with a number of changes to regulation and legislation scheduled for 2006 that may leave them short. As many of the larger corporations ‘step-up’ their security, there could be a security technology gulf between them and the smaller businesses, many of whom are indeed suppliers to the larger companies.

Outsourcing and third-party resilience are rapidly being seen as recognised risks to the business. With such practices you can be secure but what about those who you rely upon? And as such, there will be increasing demands on business to show other businesses how secure and resilient they are.

The landscape in terms of security for the next 18 months is starting to appear already. Laws will change; regulation will toughen. In order to justify its demands, the information security industry will shift from being reliant upon folklore, fear uncertainty and doubt, to being a more measured and predictable environment.  Risk will be calculated, previous incidents referred to and security will be provided where it is most required and to the level that it is required. Knee-jerk, point solutions and assumption-based methods will no longer cut it.

Top 5 email-borne virus and spam groups stopped by scanners in November 2005


Netsky: 28.27%

Phishing: 27.59%

Mytob: 18.52%

Sober: 11.22%

Bagle: 5.67%


Source: SoftScan

Phil Cracknell, FBCS, CISSP
CTO of netSurity Ltd

Phil is an information security specialist with 20 years experience. Former head of security for investment bank Nomura, director of security for Scient Inc, and Principal consultant responsible for the penetration testing team at Zergo (Later to become Baltimore)

netSurity is an information security and risk R&D house, focusing strongly on client needs and existing problems in the industry

Read more on Hackers and cybercrime prevention