Security is a very broad subject and unfortunately one that doesn’t deal in absolutes. There is no magic pill, no consultant who can tell you just use this and you’ll be totally secure, and if they do, then they’re not being honest. Security is all about compromise; it’s a compromise between level of security, level of acceptable risk, level of inconvenience and cost.
By increasing security you increase costs and inconvenience to the user, yet decrease the level of risk that the organization needs to sustain. Though if we had to look at the relationship between this compromise one would notice that it is not linear. At some point close to the top of the graph the relationship between added security and the cost to benefit ratio will increase exponentially; that is, it will cost a lot more to slightly reduce the risk to the organization. It is generally about here that one should aim for the cost to benefit ratio to be optimal.
As I mentioned before, security is not an absolute. It is very important to realize that no matter what you do it is impossible to achieve 100% security, and generally striving for 100% security can be ill advised. As mentioned above, once past a certain point costs will increase dramatically and the business of security will start to seem as being too expensive to be practical and that in turn will lead to the biggest risk of them all – the weak link.
What do I mean by the weak link? Like many things in life security too is a collection of factors working together and the strength of that collection is not the sum of all its parts but only as much as the strength of its weakest part.
Assume that someone has a house which he wants to secure and decides to go all the way and overdo it to get as close to the 100% security level as possible. He installs a vault door as his front door, puts bullet proof glass on all windows and puts titanium bars in front each one of his windows. He has reinforced concrete on each wall making his home look like a bunker and even puts a guard at his front door on a 24-hour watch. Now let’s assume that for whatever reason he leaves a pretty flimsy back door maybe even facing a dark alley way. Before getting to this last statement about this house’s back door, a thief would have a pretty hard time trying to get in – the security level of this house is just too high but then there is the back door; flimsy, easily opened with minimal force and also facing a dark alley way – now the whole thing seems just too easy right?
The story above also applies to our IT infrastructure, only we have perimeter security instead of a front door, we have firewalls instead of guards, we have databases and servers instead of windows and we have internal security instead of back doors. Each element on our network can be an attack point; we have servers, workstations, people, wireless infrastructure, network points, routers, email, storage devices and more. Like the story above each attack point needs to be secure and like the story above it is a bad idea to focus and try to achieve a very high level of security on only a couple of these because they might seem more critical than the others. This is because, like our house example, a malicious person needs only break one point to get to the prize, not all of them.
We take a scenario where the aim is to protect against the disclosure of our client database data. It is an internal database so the first step is to secure it against external access. We put firewalls and various safeguards to ensure that it cannot be accessed from the outside. We also apply all patches and security fixes to the database in a timely manner and spend a lot of money to ensure good physical security. We also implement email security software and put policies in place to ensure that no one can accidentally or intentionally send private data out via email. Let’s also assume that a lot of money and power was spent to ensure that these points have the best security possible.
Excellent, the infrastructure is very well taken care of but one thing was overlooked in this scenario – the human element. One of the sales team, who has legitimate access to the server, decides that he is not paid well enough and that he could do better on his own. After all he has a nice client list to get him started. So one day he gets to work, queries the database he has legitimate access to and dumps all customer data onto a file. He then connects his USB storage device, which he might be legitimately allowed to take to work, (this could be his phone or music player, since lots of devices nowadays have ample storage) copies the data and goes home with the company’s client list data. He waits patiently for a month or two not to raise any red flags and quietly quits the company. A weakness in one system just made all the security efforts useless.
Protect as much as possible
The secret to effective security is primarily to cover all bases and to cover those bases as best as is economically viable. Everyone has limited budgets and the trick to effective security is not using that budget to get the most expensive solution possible so as to protect the critical systems, but rather to spread that budget and get the best security to cost ratio across all systems. Try to cover all the bases. A network consists of Hardware, Software, a Physical Element and a Human Element. Also it’s essential to keep in mind that security is not just a matter of buying software to protect systems and deploying that software, security is also about educating people and this aspect is just as important as any other and unfortunately is often overlooked.
Finally, as I mentioned at the beginning of this post, security is not an absolute subject because no matter how much time/money and effort was invested there will be times when it will fail and for these times, there is yet another aspect to security. When your security is compromised it is very important to detect it as quickly as possible and it is equally important to have a disaster recovery plan that will allow you to deal with the event in a timely manner. Disaster recovery can help a business save money and help retain customers; ideally it will never be used but it’s much better to have it and never use it than to need it and not have it.