Republished with permission from WatchGuard Technologies, Inc.

WatchGuard LiveSecurity

 

The Ordo Cautela: Steps to Security

Fred Avolio, Avolio Consulting, Inc., www.avolio.com

 

The Christian reformer Martin Luther created a revolutionary principle called the "ordo salutis" -- the order of salvation as applied to the sinful soul. The "ordo" provided a structured way to discuss and consider a very complex topic. In this article, I intend to describe the "ordo cautela" -- the order or steps to security. My assertions shouldn't cause the fuss that Luther's did, but just as disagreements over what constitutes the ordo salutis have persisted throughout the history of the Christian church, there will be those who disagree with particulars I lay out here. Just the same, I believe there is a logical order to security deployment. Knowing that order will help us ask the right questions, at the right times, and give us direction on moving forward. And direction is definitely needed.

 

De Rerum Natura

Every security practitioner will tell you that in order to have security that works, you must have a security policy. And some companies do. Many do not. Many that do have one, do not have one that is up-to-date, relevant, and matches reality. For other businesses, the first inkling of a security policy was conceived the day they installed their first firewall.

 

Most businesses view installed mechanisms such as firewalls and desktop anti-virus software as being security itself, rather than being part of a security infrastructure. The thought is, "We have a firewall; therefore we are secure." But a security tool in and of itself is not necessarily secure.  Firewall configurations change to match user wants masquerading as business requirements. Is the firewall configured properly? Is our anti-virus database up-to-date? Are our web servers sufficiently protected? We aren't sure. Sometimes we'd rather not ask; it's too much like opening Pandora's box.

 

But an "ordo cautela" will provide a way of managing the complexities. Even if it turns out not to be perfect, it's far better than nothing. So the following is my recommended ordo cautela.

 

Ordo

1. Business requirements. The first step is an analysis of the services that are required for business. This is where we discover what is required for the business to accomplish its mission, and then dig deeper and figure out how those things required can be provided. (Beware. The hard part is distinguishing wants from needs. Not only do we find it hard to differentiate the two, but we also have a tendency to mistake solutions for requirements. "We need port 2092 opened on the firewall" is a solution. The user's "need" is more accurately stated, "I want to play Descent3 over the Internet and the firewall is in the way.")

 

2. Risk analysis. This is also sometimes called vulnerability analysis or threat assessment. This is where we identify the things we want to protect. These include highly tangible things (web sites, personnel records, product plans), as well as the less tangible (corporate image, branding, credibility). We also postulate threats, assess vulnerabilities, and decide if the cost of protection is worth the benefit. This is the part that scares many people off. Working through risk analysis with insight and depth may require outside expertise, but anyone involved in an enterprise's network security group should be able to make a good start.

 

3. Security policy. The security policy specifies allowed and denied behavior. It lists controls (such as Internet firewalls) that are in place to meet the business needs dictated by the business requirements analysis, and the security needs dictated by the risk analysis. This is where those two come together, and where differences are reconciled. The finished security policy tells us not only that we need a Firebox (for example), but also how it should be configured.

 

4. Deployment. The security policy, with accompanying procedures, addresses mechanisms to deploy and where to deploy them. It has to cover:

  • your network perimeter (where we might deploy a firewall)

  • desktops (including the remote "desktops" of the teleworker and road warrior)

  • servers (both inside the network security perimeter as well as outside, such as outside web servers), and

  • the corporate network, often an internetwork.

We also want to verify that the actual deployment matches what is dictated by the business requirements and the risk analysis as married in the security policy.

 

5. Review and re-evaluate. Ever notice the directions found on many shampoo bottles? "Lather, rinse, repeat." To the programmer, it constitutes an endless loop. In this case, though, we do want an endless loop. Threats change, vulnerabilities change, bad guys get "badder." Technologies of defense change constantly. Business requirements change as fast as the Internet offers up new services.  So, periodic reevaluation is required.

 

Veritas

That is my suggested ordo cautela. In a perfect world, we'd follow these steps in order. But then in a perfect world, we'd not have to worry about network attackers.

 

Okay, suppose you've already deployed your firewall, you've got remote users dialing in, but you're not quite sure why some of the exceptions in your security implementation are there. That's okay. Not only is security a never-ending process; it is also one that you can join at any time. Will you get it perfect? Of course not. But that goes hand in hand with the security adages, "There is no such thing as 'complete security' in a usable system," and, "Security is not a static end state, it is an interactive process."

 

Here's another relevant adage: "Concentrate on known and probable threats." Do what you can do today, continue to review and evaluate, keep track of what is left undone, and you will move your organization (or at least its network) toward greater and more easily managed security. And someday, if hackers try something hellish on your network, who knows? --you might find that following this "ordo" was your salvation. ##

 

Et Cetera

More security adages:

http://www.avolio.com/papers/axioms.html

 

Magazine article on best practices in policy development:

http://www.nwc.com/1105/1105f2.html

 

Books and web sites to help you develop security policies and strategies:

 

Firewalls and Internet Security: Repelling the Wily Hacker,

Bill Cheswick and Steve Bellovin. Addison-Wesley, June 1994.

 

Designing Systems for Internet Commerce,

Win Treese and Larry Stewart, Addison-Wesley, 1998.

 

Web Security Sourcebook,

Aviel Rubin, Daniel Geer and Marcus Ranum. Wiley Computer Publishing, 1997.

 

Information Warfare and Security,

Dorothy Denning. Addison-Wesley, 1999.

 

Information Security: Policies and Procedures -- A Practitioner's Reference,

Thomas R. Peltier. CRC Press, Auerbach Publications, December 1998.

 

The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program,

Gerald Kovacich. Butterworth-Heinemann, May 1998.

 

The SANS Institute security policies, course notes:

http://www.sans.org/

 

Various papers and editorials about security practices and products:

The Computer Security Institute (CSI), http://www.gocsi.com/

 

Software tools, information archives, research projects.

Project COAST (Computer Operations, Audit and Security Technology), Purdue University, http://www.cerias.purdue.edu/coast/