It's hard to be proactive when it comes to data security. For all the talk about security as a business enabler, security is mostly about defense, and defense is inherently reactive. The opposition acts, you react. Someone tries to SYN flood you, you block their IP. A virus infects your network, you quarantine it, find the infected systems, and clean it up.
But the effectiveness of your defense depends on how well you anticipate your opponent's actions. Think about a football game. A good defense doesn't simply react, willy-nilly, to the offense's play after the ball is snapped. Rather, they strategize, analyze and adjust many steps ahead of the play. They break down game film to determine their opponent's tendencies; they rotate players and change formations depending on the score, quarter, down and field position; they constantly fine tune their position and check off assignments, right up until the ball is snapped.
Information security is no different: the more successful your "pre-actions," the less pressure there is on your reactions.
The good news: Security professionals are becoming more proactive in managing risk. According to Information Security's 6th Annual Industry Survey, 85 percent of security pros are performing security risk assessments, and 84 percent make changes to vulnerable systems when a threat is identified.
The bad news: IT security still has a long way to go. In football terms, security pros are too focused on "game day" activities. Yes, installing patches in response to new vulnerabilities beats cleaning up after a worm infection. But the patch parade is a lot like a half-time adjustment: an effort to shore up an identified weakness that has been, or very soon could be, exploited.
A smarter approach is to adopt proactive measures long before the game even starts:
1. Lock down operating systems and applications before they're ever put into production.
It's impossible to harden every system, so concentrate on the critical ones -- widest deployed, most important to your operations, most vulnerable by default, or some combination of these.
Need help? The nonprofit Center for Internet Security has released security configuration benchmarks for several enterprise systems, including Windows 2000, Oracle 8i and 9i and Cisco routers. These free documents outline hundreds of configuration changes and include scoring tools that rate your security posture when you're done. Several security vendors sell similar configuration and benchmarking tools.
2. Force vendors to prove their software or service is robust and reliable.
Ask your e-commerce application vendors for proof that they've included security in their QA testing. If you're working with outside application developers, require a third-party security assessment of the finished code. Make sure to include security questions in all service provider RFPs. Develop a checklist of security items that must be included in SLAs.
3. "Message" security up and down the organizational flow chart.
You can't secure anything in a vacuum. Getting C-level buy-in to the above recommendations is important, but that's only the beginning. Train IT ops staff in the procedure for hardening systems on the high-value list. Make sure department and business unit managers are aware of policies for procuring commercial products and contracting outside services.
Proactive "D" is a manifestation of the 80/20 rule. By implementing these and other processes, you mitigate 80 percent of your risk using 20 percent of your time. You burn less money and fewer resources on game day defense -- incident response, virus cleanup, data recovery -- and improve your ability to anticipate, identify and respond to emerging threats.
About the author:
Andrew Briney, CISSP, is editorial director of Information Security.