In order to think about security, we’ve got to think about what we’re really trying to accomplish. How do we answer the million-dollar question “How do I know that I’m secure?”
Let’s start with a simpler question – “How do I know that my car is secure?” (not a million-dollar question, unless you’re driving a Lamborghini, I know I’m not). Let’s assume that we’re parking our car – we go through a mental checklist to make sure it is secure:
So, when I leave my car, I run through this checklist and if all five conditions are set, then my car is secure. But what happens when I leave? I really need to keep checking this checklist periodically to make sure all five conditions are still true and my car is secure.
This mental checklist is a good example of another security tenet – the security POLICY. It’s a list of conditions, settings, etc. that you want to be true – your checklist proves that everything is the way you expect them to be. Writing down a security policy for your car isn’t hard – you do this every day. There may even be additions to this list (such as to make sure the parking brake is set, wheels turned into the curb when I’m on a hill, etc.).
Let’s make the problem more complicated – how do you know that your house or apartment is secure? We have certainly much more to deal with (Have I left the water running? Did I leave the iron on?). I also have to consider any other people who live there – are they all following the same checklist? I can probably write this all down into one large security policy, but it would be a huge job. Can I get help with this from somewhere?
Sure – for example, if the company that makes my Internet-connected toaster provides me a guide as to how to make sure their appliance is secure, that would make my life easier. I now just have to take all of the guides of products used in my house to see how I can make my house secure. It is really THAT easy? Or if the person who built my house did this job for me – then it would be even easier. It’s not easy – it’s a complicated problem – different houses are built with different products and those products may have been installed or configured differently. The house may even have changed since it was built (to upgrade or to fix something that was broken).
Let’s now bring this to computers. Computers are very much like houses – made of many parts and products. Each part/product/program really needs to have a checklist/policy defined on how that it is supposed to be set up and used. It would be easiest if the computer maker gave me one for everything that you can run on his system (these are called STIGs = Security Technical Implementation Guides, or Security Guides for short), but that’s really a big task to tackle. What usually happens is that the user winds up pulling multiple checklists together to make up their local security policy. The easier this process is, the more secure you can be.
This is another way that you already think security. When you want to make sure something is secure, you compare how it is now to the checklist (the “policy”) that you’ve defined to make sure that it is the way you want it to be. This object could be your car, your Internet-connected toaster, your house or apartment, or your computer system.