No security system is perfect. Never believe that you have solved your security problems or eliminated a specific security threat.
Blind trust in security systems leads to complacency, which inevitably, puts your organization in a position of unnecessary risk.
During World War II, the Axis powers developed a state-of-the-art cipher called Enigma. However, the Axis powers made a fatal mistake in believing that this state-of-the-art cipher was unbreakable. Polish code breakers, Alan Turing and his colleagues at Bletchley Park exploited flaws in the Enigma design as well as flaws in how the Axis powers used the cipher. These men broke what the Axis powers deemed to be 'unbreakable.'
Following a different approach than their enemy, the Allied powers changed their cipher methods multiple times through the course of the war. They believed that any security system would eventually be compromised by treason or cleverness. This healthy dose of security skepticism played a critical role in defining the outcome of World War II and shaping the events of the last 60 years.
While lives, democracy and individual freedoms are not at stake here, your organization's reputation, critical data and resources are on the line. It is your responsibility to approach host and network security with the same sense of reality, common sense and lack of naivety as the Allied powers did 60 years ago. Never place full trust in any single security mechanism because treason or malicious cleverness can eventually compromise that mechanism.
Instead, think defense-in-depth. If your outer layer fails, an inner layer of seemingly redundant security might save the day. Consider the password. If you depend on critical passwords, do not depend on those passwords remaining secret. Change your critical passwords on a regular basis. Change how you select your new passwords on a periodic basis. Even change how you distribute these critical passwords to security personnel every once in a while. In the long-term, look for ways to replace this 'security through obscurity' password mechanism with more advanced authentication techniques.
We use the phrase 'healthy skepticism' versus 'paranoia' because the latter can be just as crippling as blind trust in security. Paranoia and actions taken to combat it will, inevitably, prevent your business from operating efficiently and successfully. If you impose security measures that hinder your organization's ability to get work done, then the system crackers have won ... and you gave them the victory! A moderate level of security skepticism is the key here.
Understanding that no security system is perfect and you cannot eliminate all threats, implement measures to detect when something has gone wrong. Subsequently, understand that no detection system is perfect. For those things that you cannot detect, implement measures to mitigate damage.
Do you see a pattern here? Let's continue...
No host-based security is perfect. At some point, a dedicated attacker may be partially or completely successful in gaining unauthorized access to the host. Implementing an intrusion detection system that includes secure external log storage and log event filtering will help you prepare for this likelihood. Additionally, use tools to detect changes in critical system and library, as well as config and application, files and assign a human to look over the logs on a regular basis for any unusual activity.
Similarly, no detection system is perfect. A healthy skepticism will prepare you for an attack on your intrusion detection system. Ask yourself, "What would happen if an attacker successfully disabled our log system and file change detection tool?" Are you prepared?
The reputation and value of your company depends on your ability to mitigate any damage stemming from security system failures. Remembering these basic tenets of healthy security skepticism will help you proactively protect your organization's most critical assets:
- No security system is perfect.
- Avoid single security failure points.
- Use a defense-in-depth layer approach.
- Periodically review and audit your security systems on a regular basis and use a combination of internal and external auditors.
- Good security will not hinder necessary and productive work.
- That which you cannot prevent, detect. That which you cannot detect, mitigate.
Finally, distrust your own memory. Save the above tenets and review them on a regular basis!
Landon Curt Noll is a consultant with SystemExperts Corporation (www.systemexperts.com).