I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.
The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.
Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.
But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:
Critical Control 1: Unity of Vision
Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?
- A. How does your organization create a sense of community?
- B. What are your Institution's Goals?
- C. How are those goals propagated throughout the organization?
- D. How do your security actions promote your institutional goals?
- E. How do your security actions provide assurance to your institution?
- F. How does your institution reward long term loyalty?
Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:
Critical Control 3: Enable a Better Future
This control assumes that our actions affect the future. Do your actions enable a more secure future?
- A. How do you increase the cost of attack?
- B. Do you report attack to the remote ISP/attacker?
- C. How do you coordinate with law enforcement?
- D. How do you decrease the cost of defense for yourself and others?
- E. How do you reduce the motivation for local attack?
- F. Do you disclose vulnerabilities to others?
If so, will your institution protect it’s people when others attempt to punish disclosure?
- G. Do you facilitate others disclosing vulnerabilities to you?
- H. Do you help your peers improve their security?
The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?