The Virtue of Daily Consideration |
Making security a daily consideration solves the vast majority of security issues an organization will face. All the talent and wiz-bang technical gadgets in the world will be of little use if they are not used in conjunction with this primary virtue. As we continue through this book, I will delve into several vital concepts for building and maintaining a secure environment. These concepts will prove to be of great value, but only if they are remembered, considered, and practiced on a daily basis.
Within the Virtue of Daily Consideration is the chance for organizations to break away from the fatal patterns that are so easy to fall into. Many organizations avoid addressing security issues because they consider security to be impossible to maintain, requiring an unending cash flow while sucking up valuable time and resources. This negative image of security, however, has only been manifested through numerous organizations that have embraced a “reactive philosophy of security.” We can ensure that an organization does not fall into such a trap by promoting a proactive security posture that solves the most common security issues automatically and without effort.
In my experience as a security consultant, the organizations with the most security issues are those that have not followed this virtue. Most of them are locked in a circular bind that drains money and resources while producing no results. Look at almost any company that has sunk large budgets into their security and yet are still vulnerable to attack, and this pattern will appear:
Step 1. | Do something without thinking about security. |
Step 2. | Get hacked. |
Step 3. | Discover that what was done in Step 1 introduced a security flaw that allowed Step 2 to happen. |
Step 4. | Secure the organization against the specific attack in Step 2. |
This four-step cycle is then followed by a three-step cycle:
Step 5. | Wait. |
Step 6. | Get hacked again. |
Step 7. | Find out that while waiting in Step 5, another new hack was developed relating to what was done in Step 1. |
How simple it all seems, and how simple it all really is. This fatal seven-step process that organizations tend to manifest creates an unending cycle of lost time, lost money, and lost sleep. This is the origin of phrases like the following: “Security is too expensive” and “Security is unachievable.” This is a pattern that must be avoided at all costs. Lucky for us, we can easily avoid this vicious circle by simply adopting the proper focus and giving security its daily consideration.
If we do anything in security—if we could have only one goal to set for our organization that will have the most profound impact—we must simply break away from the seven-step cycle. Avoiding this infinite trap can be accomplished by slightly modifying the first three steps:
Step 1. | Think about security. |
Step 2. | Do something (while still thinking about security). |
Step 3. | Continue to think about security. |
In other words, we can avoid the vast majority of security issues that plague the average organization by making security a daily consideration. Understand that this simple three-step process will take a relatively small amount of time and could prevent most of the attacks that have affected organizations all over the world. To practice these three steps, we simply need to train our minds to think about security at all times. We must maintain a security focus.
Most security issues are not normally visible or apparent until they are exploited. This is one of those things that keeps security professionals constantly on their toes. The most devastating security vulnerabilities are the ones that have no obvious relationship to security at all. When we place a new Internet connection into the network, everyone is jumping and screaming about the security issues. But when a new device is installed with a tunneling capability that bypasses all security, no one thinks twice. The deadliest vulnerabilities are those that don't raise a flag until an attack.
Today, security must be considered in everything and at every moment. Simple objects added to or removed from a network can serve to bypass all the security that has been put in place. Temporarily attaching a modem to a router can bypass hundreds of thousands of dollars of perimeter security devices. We must gain control of our environment by programming this primary security virtue into our minds and the minds of everyone around us.
The Virtue of Daily Consideration is our only hope of building and maintaining a secure environment. Throughout the rest of this book, I will continue to describe how to make security a daily consideration within an organization, and how to use and reuse simple concepts that will keep an environment safe. For now, here are some simple steps to make security a daily consideration:
13.58.236.191