Good advice, great people

Security experts offer the best advice they've received about how to do their job.

Good advice is more than a handy cliché. It's practical, applicable guidance culled from a trusted advisor or personal experiences. Its real value, however, is in sharing it with others. Information Security magazine asked luminaries and laymen to share their best advice with our readers. What follows is a collection of unique anecdotes, professional wisdom and success stories that security managers can consider as they craft the policies and mechanisms that keep their networks and data safe.

Ron Rivest, co-founder RSA Security

Attackers don't give up.
I value the advice given by Robert Morris (senior) at his Crypto '95 invited talk (paraphrased): "Never underestimate the effort that an adversary will put into breaking your system."

Vint Cerf, chief Internet strategist, Google; ARPANET developer

Keep up with chaos.
"If everything is under control, you're not going fast enough." -- Mario Andretti

Robert Ellis Smith, publisher, Privacy Journal

You can verify identities of individuals or assure yourself that someone is legitimate simply by picking up the phone and calling the number listed on an application or given by someone in person. If it's a non-working number or the person answering is vague about whether the applicant lives there, you are on notice.

Diana Kelley, senior analyst, Burton Group

Understand business needs
Get over the idea that security is about being as secure as possible, or using the latest and greatest security application or technology. IT security is about understanding what the business needs to accomplish to succeed and then matching appropriate security policies, processes and technologies to those needs.

Look past what the media and vendors are saying about what today's "must have" solutions are -- get real about cost-benefit analysis and being sane about mitigating risks and consequences.

And more than anything check the assumption at the door that average users are stupid. Corporate users have a requirement to get their jobs done in the most efficient manner possible. If security road blocks efficiency, users may circumvent. Proper training and awareness is critical, as is compassion.

Moving forward, IT security professionals that understand this isn't a battle of security vs. the business -- it is a team effort will succeed – engage executives and the user population in planning and deployment. Listen to what they are saying about usability and viability of proposed solutions, be respectful.

When everyone is working towards a shared goal energy is spent on creating success rather than on petty squabbles and political jockeying for position.

Marc Noble, CSO, Federal Communications Commission

Bend, don't break
You need to be flexible. As a Marine friend of mine says "Sempre Gumby."

Dennis Treece, director corporate security, MassPort

Deny everything, allow by exception
Adopt the philosophy: "Deny everything, allow by exception," instead of the factory default philosophy "Allow everything, deny by exception." There is far more traffic out there from far more places than any business will ever need. Keep port 25 open so people can e-mail you to get in for legitimate purposes, or put a good contact number on your Web site.

Michael J. Assante, former CSO, American Electrical Power

Cross the divide
As a CISO you need to deal with security risk with a holistic view of the problem. It is time to unify or at least forge the divides between the information security and physical security program. One must accept the reality that the business processes and infrastructures (or "what you are trying to protect") are integrated systems combining people, process and technology to achieve a desired output.

If you fail to integrate the process for identifying and managing risk, and specifically how you invest in and deploy protective solutions you will experience increased exposure, limit your situational awareness, have poor accountability around security and incur higher operating costs. We cannot continue to lack imagination. It is our charge to build organizations capable of seeing possibilities, even if they are hidden in the nuances of interdependencies, where the borders between the physical and virtual world cross and even blur.

Broaden your view
CISOs must understand their role in the organization by thinking about security issues without viewing them exclusively through the lenses of an information security specialist. A leader should understand how decisions impact their company's business model and shapes or resonates with the organization's culture. Ultimately one should strive to be a business leader aligning their efforts with the company's strategic and operational goals with a real eye towards how their programs play out across the company.

Strive to engage and support strategic business decisions that impact security risk. Issues like standardizing equipment, strategic supplier relationships and overseas outsourcing can be opportunities to accomplish security goals while supporting responsible business decisions. Try expanding your risk reduction strategies by considering business resilience and redundancies alongside of protective measures and the Confidentiality, Integrity and Availability model.

Cultivate your own support group
A security council or committee should be established of senior level members from key corporate functions and business unit leaders to provide direction and help with strategic alignment. This group can be educated to security risk over time and serve as a valuable resource providing validation for decisions, articulating challenges or issues and providing support to decisions that they feel some ownership around. The council can also act as the governance body to ratify security policies and standards. Finally the council can provide insight to how the company can realize business benefits for security initiatives and risk reduction programs.

Guy Morgan, CEO, Farm9

As network security professionals, we assist our clients in implementing "layered security" to cover all points of vulnerability. At the outer defensive perimeter that means firewalls, spam filters, spyware detectors, virus killers and more. The next layer is intrusion detection systems that look for suspicious traffic. Even deeper are highly specialized tools analyzing audit trails and access logs for anomalous activity.

It's in this last area that many companies are suffering some of the most serious damage. Several recent highly publicized security breaches have tarnished the affected companies' reputations all the more because of the difficulty in determining the extent of the damage.

Increasingly, sophisticated criminals -- it's not just script kiddies anymore -- are zeroing in on computer activity logs. By altering, destroying or -- especially insidiously -- spoofing a log, a hacker can mask an attack and make it almost impossible to assess a data loss once an attack is detected.

The solution is simple but imperative: Companies must standardize and consolidate the logging process, and scrupulously back up all logs and store them securely offsite. Only then is it possible to know exactly what occurred and to have an audit trail as evidence if matters go to court.

John Schwarz, president, Symantec

Security isn't just about technology, it's also about people and processes. The security team must be aware of the current external threat environment and understand the internal infrastructure. Processes must take into account access policies, vulnerability awareness and timely patch deployment. Organizations should, at a minimum, deploy a firewall, malware filter and incident response capabilities. And, signature files need to be kept up-to-date.

While every device should be responsible for its own security, it's also important to protect the information itself. Information is the currency of our age and it needs to be both secure and available. Information that is secure, but unavailable is worthless…it's like putting all of your valuables in a safe and forgetting the combination. On the other hand, information that is widely available, but not secure is like putting all your trade secrets up on the Internet.

In the end, effective security requires a proactive and holistic view of the entire infrastructure.

Thornton A. May, futurist

The essence of effective information security is informed and aggressive information management (categorization and indexing -- knowing what you know, knowing how important or valuable your repository of information assets is, and being able to segment information management behaviors on the basis of information -- value, risk and threat). Most organizations are only now taking baby steps in this direction.

Rolf Moulton, president, (ISC)²

As an information security manager, your main job is to educate your business clients about the risks their business decisions create, and help them to develop and implement controls that they believe are appropriate to manage those risks.

Winn Schwartau, author, founder The Security Awareness Company

  • Time is the ultimate metric of security. Network security can actually be measured using the Time Based Security techniques and applied to both technology and people. Risk management, security folks and CFOs finally have a way to communicate.
  • I know less and less about security every day. I need to know the fundamentals thoroughly and be able to apply them to any situation.
  • Security is based upon a new triad consisting of cybersecurity, physical security and peoplesecurity. They must be balanced and metricized against time to make it work.

Fred Cohen, principal analyst, Burton Group, coined term "computer virus"

Most of the advice I see is pretty bad. I have gotten standard advice from automated response systems telling me to make sure my passwords were long and strong enough – but unfortunately the issue had to do with a telephone system and it was impossible to make the passwords longer than four symbols and impossible to make the symbols anything other than the digits 0-9. So much for that advice.

I did get some really good advice from an old man on a corner at a bus stop in Los Angeles one time. He told me that first they offer you money, then sex, then they kill you. He was referring to non-compliance with powerful people who try to get you to do things you don't want to do. There was no advice of course, but I inferred that you should take the money and sex unless you want to die. On the other hand, he looked like he had survived the attempts to kill him, so maybe it was just lamenting his own decisions to go it on his own.

My mother used to tell me that just because other people jump off of bridges doesn't mean you have to follow them. This was before the days of bungee cords, and I think it is sound advice to look at alternatives before making the same mistakes that others make. Hence my non-use of virus scanners and Windows leaving me virus-free for the last 21 years without a lot of special effort; something about the path less followed. We need more of that.

My third piece of good security advice comes from a song. It goes "You don't pull on Superman's cape. You don't spit into the wind. You don't pull the mask of that old Lone Ranger. And you don't mess around with Slim." This is of course after Slim slices Jim (the previously named king of the hill in the song) to bits in a barroom brawl.

The advice is two fold -- one is that there is always a king of the hill until someone else displaces them -- and the other is that nobody is too powerful to be displaced. Life is full of risks and sometimes you have to take them to do what you do as well as you can. Recognize that you could end up on top or at the bottom and go for it.

Ed Skoudis, author, consultant

Remember, your technology infrastructure is merely the representation of your security policy. Don't obsess over technical solutions until you have a good grip on your policies, in writing.

If you don't have solid policies in place first, your technology won't be sound over the long run. Sure, you may accidentally deploy solid technology without good policies in the short term. But, over the long run, without good policies in place, your technology will grow worse and worse, until you get completely hosed.

Alex Nehlebaeff, corporate IT security manager, Harley Davidson Financial Services

Don't get complacent, be ever-vigilant.

Pamela Fusco, CSO, Merck

  • The best security advice I have received is:
  • What you don't know can hurt you.
  • You can't do it alone, security is a team concept.
  • Don't fall prey to denial, understand that you will encounter a security breach before it happens.
  • Tell the truth. The whole truth and nothing but the truth.
  • If your admin can access it, anyone can access it!

Ed Amoroso, CSO, AT&T

  • In the 1980's, Bob Morris Sr. demonstrated to my team at Bell Labs numerous times that "breaking into computer systems is easy." The ease with which he could hack into the Unix systems in the Bell Labs Computer Center has stuck with me my entire career, and I never, ever underestimate the capability of a skilled hacker.
  • My manager at AT&T during the 1990s, Larry Spilman, invited me to my first real technical meeting with an intelligence community customer to discuss security. I thought I was some hotshot expert on security until I arrived at the meeting. During that discussion, I learned immediately that there are *always* people who understand the topic better than you. This experience helped immeasurably in my management career, because I've come to recognize the value of what others bring to the table.
  • During a recent all-night virus-fighting incident with Andy Daudelin, who runs AT&T's internal network services, we were all pretty grouchy and dying for some sleep. At just the right moment, Andy offered the perfect comment which seemed to bring things into better perspective for all of us. He said this: "If they ever catch the people who do this, their punishment should be one week in our jobs."

Craig Shumard, CISO, CIGNA

Don't neglect investing in security awareness and training; technology controls will only get you so far. Many significant security breaches have nothing to do with a break down in technology but rather people not doing the right fundamental behavior to safeguard the business and customer data.

People need to understand what to do, how to do it and most importantly why it needs to be done. An all encompassing view of security, one that factors in behaviors, business process and technology, is essential.

Andrew Lee, CTO, Eset Software

I saw on a documentary on TV. It was a sign on a Huntsville, Tx., prison wall. It said simply "Security is never convenient." It's more a thought-provoker, rather than advice, because it is really double edged. I've made it my mission to make security as convenient as possible for the users it protects, but also, as inconvenient as possible for the attacker.

There is always some degree of compromise, but we have to bear in mind that draconian measures are nearly always subverted by the user, simply because they are unable or unwilling to deal with the inconvenience. To be truly useful, security must be so convenient to the user, and so inconvenient to the attacker, that neither of them will try to subvert it.

Marcus J. Ranum, creator of proxy firewall

I think it was originally from my mother. She asked me, "If your friends all wanted to jump off a cliff, would you jump, too?"

Stephen Northcutt, director training and certification, SANS Institute

I used to be a security officer at a US Navy base. For some reason, I felt I had to protect the Navy's systems from getting hacked or wormed, and I was very tense. A gruff old-timer was talking to me, and he looked up and said, "You aren't a bodyguard, you are in loss prevention. A certain amount of shoplifting is going to happen. Your job is to keep it inbounds." I have never forgotten that.

I make sure our networks are designed well, our systems, especially our Internet-facing systems, are configured properly and patched. I fully understand that one day SANS might get hacked, or one of our systems may be infected by a worm. But I refuse to live life in fear of death by a golden BB. I am in loss prevention, and risk management is an exercise in probability. Eventually some defense is going to be breached, we will take a hit and life will still go on.

Jayshree Ullal, senior vice president security, Cisco Systems

When I think about some of the best security advice I have ever heard or received, I seem to always remember a quote from Eleanor Roosevelt -- but with a twist. While the actual quote goes "A woman is like a tea bag -- you never know how strong she is until she gets in hot water," I have found security to be a lot like that tea bag.

An organization will realize just how strong and pervasive its overall security is, whether physical or networked-business system related, when faced with a "hot" situation that challenges it. Organizations may realize that there might be certain modifications that need to be made to their security policies and practices. Throughout my experience, I have learned that all organizations should always adapt their security systems in order to stay resilient and deal with unknown attacks .

Ultimately you begin to realize that security must be deeply integrated throughout all aspects of an organization -- including people, processes and its networked information systems for it to be effective in those "hot" security situations.

Gary Miliefsky, president, CTO NetClarity

If you're planning to institute a vulnerability management system, you should be sure the system has a quarantine feature. Let's face it, every network is vulnerable to some degree. While you assess your network's vulnerabilities and then schedule remediation, your doors are still open. How long will it take to carry out remediation? It could be days, perhaps weeks, even months before you remediate all the vulnerabilities on a mid-sized network that has never been tested for vulnerabilities before. A vulnerability quarantine system can instantlly block traffic between vulnerable systems and the firewall or smart switch as soon as it identifies vulnerabilities on systems, helping you avoid exposing other systems on the network to the weaknesses on compromised machines.

The best quarantine system should have the ability to block traffic at both the firewall and the smart switch.

Blocking traffic at the firewall stops outside intruders from getting behind your firewall. At the firewall, the quarantine system should be able to selectively block vulnerable ports as well as entire IP addresses.

Blocking traffic at the smart switch (for instance, the Cisco Catalyst variety) foils malicious insiders, preventing them from taking advantage of the vulnerabilities on the compromised systems.

Ernesto Rosales, founder, president plusSecure

  • Security is not a goal, it is a process.
  • Security is not a product, it is a mindset.
  • Security is a never-ending task.
  • If you think you are secure... just wait a few minutes until the next sploit is released.
  • Security is like breathing -- If you stop, you're dead.

Eric Rescorla, founder RTFM

The best piece of security advice I ever received was from Allan Schiffman, co-designer of the shttp protocol: "People don't want security; they want the appearance of security."

Users know that they're supposed to have some security but evaluating the security of products is incredibly difficult even for experts. What's much easier -- especially if what you're concerned about is not getting fired -- is to do something that's plausibly secure. Whether it works or not is much less important than that your choice was defensible. If you're trying to deliver a security solution and you can't figure out how to get people to think they need your solution, it's useless no matter how good it is.

Donn B. Parker, retired, Getronics Red Siren

Due diligence, compliance and enablement

The primary conceptual objective of information security should be due diligence to avoid negligence by securing information and systems in the effective ways that other organizations do under similar circumstances. The second objective should be compliance with standards, laws and regulations to avoid fines, prison and job loss. The third objective is enablement to achieve competitiveness in business and bureaucratic approval in government and institutions. Reduction of current loss incidents is the likely result and reduction of security risk of rare loss incidents is the serendipitous, intangible and un-measurable result of meeting the three objectives.

Probably the most common security violation, especially among security experts, is endangerment by putting information or systems in harms' way. Dr. Wen Ho Lee went to prison for it and a former director of the CIA almost did. The best safeguard against endangerment is to create security motivation first and then awareness among people in positions of trust by giving them rewards for exemplary security and penalties for poor security.

The mother of all security objectives is to motivate users to avoid endangerment and accept and support what they dislike, namely security controls that are inconvenient and detract from their job performance. Security motivation can be accomplished by making effective security a part of job performance rather than being in conflict with job performance. You must make security a specific requirement in all job descriptions, usage agreements and performance reviews with appropriate rewards and penalties applied. Without adequate user motivation awareness efforts are worse than useless, and security remains superficial and cosmetic.

The most sensitive information in any organization is the detailed specification of security in place and information about losses. This most sensitive information must never be revealed outside of the trusted few people who must know it and the proper criminal justice authorities. This security of security requirement means that responding to intrusive survey questionnaires and making oral and written utterances in public that contain such information should be prohibited unless approved by the highest level of management.

This was last published in August 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.