Holistic Security

Once upon a time, back around 1998, there was this network security specialist.  He won a small contract to evaluate the network security stance of a building owned by a large organization that was “serious” about security.  Eager to provide excellent service, he went to work in earnest.  He was quickly rewarded when he found the organization did indeed have some vulnerabilities, most notably, a situation, where, through an SQL injection attack, the organization’s entire database was completely exposed.  This will impress my customer, he thought, but he dug deeper.  Eventually, he found evidence that the company had already been hacked.  He documented this for his “final report,” but kept digging.  He then found that this wasn’t the first time this organization had been hacked.  It had happened more than once before.  In fact, this network was the scene of a battle between two groups of hackers that had been fighting against one another for months.   The two groups had been taunting each other, which simplified the job of tracking them.   Surely, this fact would impress the customer, but the network security specialist went further and found evidence of another intruder, one who was a bit more cunning, one who was far more sophisticated in covering his tracks.  It was fortuitous that this intruder couldn’t resist protecting his captured territory by removing the vulnerabilities that might allow others to follow him.  This fact was crucial in his detection.

Eventually, the money ran out, the network security specialist stopped digging, the final report was written, and the contract ended.    The network security specialist was a disappointed.  There was obviously more work to be done.  What bothered him most was that he knew the network under examination was connected to other networks and other “friendly” organizations that probably had similar problems.   One of recommendations in the final report was “These other networks should also be examined…”  Certainly, if intruders can get into one of these networks, intruders would have no problem getting back into the network under examination.

Not knowing the story from another perspective, one may wonder why the network security specialist wasn’t rewarded with more work.   Perhaps it was a matter of money.  The IT manager that hired him obviously didn’t have an unlimited supply, and specialists do cost money.  Specialists find problems that need to be fixed.  This takes time too.   It’s also possible the network security specialist had unwittingly endangered the reputation of his customer.  His work product was a report that, if mishandled, could make the customer look negligent.  After all, in the final analysis, it was the IT manager’s responsibility to make sure things like this didn’t happen.  Imagine his feelings on learning about what had been happening right under his nose.

In the end, the decision of whether to keep the network security specialist was probably made based on the principals of Holistic Security.  The IT manager had something he valued, an asset like his budget, his time or his reputation.  The network security specialist represented a threat to that asset, and a decision was made not to renew the contract.   This brings us to an interesting observation…

Everyone, whether they know it or not, is a security specialist.    Everyone has something they value, and everyone will do things to enhance and protect those things.

Holistic security is about being continuously aware of

  1. Assets: The things we have and value
  2. Threats:  The things that threaten our assets
  3. Security Functions:  The things that protect us from these threats
  4. Opportunities:  The things we don’t have and want
  5. Barriers:  The things that prevent us from seizing these opportunities

It is important that this awareness is continuous, because these things can be changing dynamically.  More than awareness, Holistic security is also about taking the action to improve the situation, when possible, in a balanced way.  Accordingly, obtaining some valued thing is sometimes not worth risking the valued things you already have.  To be excellent at Holistic Security, one must be ever vigilant, paying special attention to game changing events and trends.  So, we are all in the game, and we all play to win.  Unfortunately, not everyone will win.  This goes for the network security specialist too.

copyright 2013 NetChime Research LLC, All rights reserved