A Proper Diet of Information Security

Earlier this year, researchers in Sweden announced that during a research study, they discovered that bread, potato chips, French fries and even cereal contain high levels of the carcinogen acrylamide.

Now, it's a well-known fact that fried foods are bad for you, but what about cereal?

Long touted as a way to lower cholesterol levels and reduce the risk of colorectal cancer, the so-called "bad" characteristics of cereal are a sign of the times. Every panacea has its weakness, and we have to take the good with the bad. The simple choices of buying "low-fat" and "sugar-free" products are replaced by complex, soul-searching decisions.

This complexity causes the fatalists amongst us to shrug their shoulders, sigh, and then comment flatly, "Everything's bad for you." These people have chosen that it's worth neither the time nor the energy to sit down and figure out what they should eat. It's far simpler to concede victory to the toxins in our food and to roll the dice when it comes to chronic illness.

Oddly, this is exactly the same way in which many companies choose to manage their information security. As with proper diet and exercise, there are many things that are beneficial to enterprise security, but there are also many more things that can yield mixed results. Recent worm attacks have exposed the chinks in the armor of information security and have demonstrated the detrimental effects of technologies once thought to be beneficial.

Firewalls may be bad for you

One of the most common security devices is the firewall, and today the firewall has become the launching point for many attacks. Hackers frequently look for out-of-date firewall software running on operating systems with known vulnerabilities. Information about these vulnerabilities is readily available (as are bug patches and software upgrades), but the vast majority of firewalls in the network are under-managed. Upgrades and patches are slow to propagate, thus accelerating the spread of viruses and worms.

Basically, the problem with firewalls is that they must be managed and monitored. Not only is version control important, but it's also necessary to routinely monitor these devices for configuration changes and evidence of intrusions.

Management and monitoring cause their own issues, because they introduce operational expenses for firewall devices that were once thought to be relatively inexpensive. Today, operational expenses far overshadow the capital costs of firewalls.

For many enterprises, firewalls have their advantages and disadvantages. Enterprise managers deploy firewalls sparingly in locations where they can properly monitor and manage them. It's common for companies to back haul their Internet traffic to minimize their number of public network connections.

The security equivalent of green leafy vegetables

In our diet, there appear to be immutable truths, like the positive benefits of eating fruits and vegetables. Almost any doctor or nutritionist will tell us that we cannot eat too many fruits and vegetables. Diets high in these foods are good for us.

The same holds true for management in information security. Whether we're talking about security management, policy management or user management, we can't seem to invest enough in management.

Management is good for many reasons, but the primary one is that in focusing our efforts on management, we address the systemic problems of information security. In contrast, firewalls focus on the symptoms of security problems - malicious code, improper network usage, etc. - but management tools attempt to stop vulnerabilities at their source.

This is important, because hackers are second to a company's own employees when it comes to security threats. Not only do employees present the greatest risk, but they also attack from behind the firewall. Management tools can use policies to describe malicious activity and can look for these types of behaviors.

Intrusion detection systems (IDS) are tools that attempt to identify and prevent malicious activity at various points within an enterprise. IDSes fall short of true management tools, because the policies they define are limited in scope and effectiveness. Many IDS vendors see management as the 'high ground' in their business.

The constant search for the quick fix

If we allow human behavior to be our guide, enterprises will under-invest in management and will over-invest in technology, always looking for the quick fix to the problem.

Need proof? Look at all the so-called "low-fat" and "fat-free" foods that we consume here in the U.S. Americans are an increasingly overweight and obese group that consumes 14 billion hamburgers ever year, washing each one down with diet soda. The contradiction of our diet speaks to our very nature. We are willing to purchase low-fat foods and weight-loss products to help us lose weight, instead of actually purchasing and eating the right foods. Given a choice, we think we can buy a solution to a behavioral problem.

Security faces the same problem. Companies like TruSecure go against a market dominated by technology purchases and professional services. TruSecure sells proper enterprise nutrition supported by risk models and enterprise processes, and they urge enterprises to focus their efforts on high value security activities that yield tangible results. Software company PentaSafe sells a similar story, of products that leverage in-house skill sets to provide high value management capabilities.

Policy and management are the end game, but they are difficult to achieve. Previous iterations of management software in the form of "enterprise management" have been costly and have taken years to implement. Many managers have seen poorly implemented enterprise management platforms fall short of expectations, and this may be a obstacle for security management tools.

Low-fat security

Management is the thing that the marketplace needs, but IT managers are going to buy IDSes and firewalls to solve the symptoms of their systemic security problems. Discrete purchases of technology are a lot easier to sell internally than broad-based management approaches. Management tools will be most effective when they can be budgeted and implemented by a mid-level manager.

Dan Taylor founded Giotto Perspectives in 1998 to provide clear, concise research and analysis in the networking and managed IP services marketplaces (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.