This is the 4th blog in a series about security and how security is about how you think.
In the last blog, my fictional friend Pete came over to my house and performed a home security assessment. His report just arrived in the mail (secured, of course). As I went over it – it was very interesting, because it was a huge checklist for all environments, not just my house.
The first section of the checklist was a series of questions that helped define the environment being evaluated. The first few questions were pretty simple – “What is the primary use of the structure?” with the standard answers “Residential”, “Commercial”, “Industrial”, “Educational”, and “Custom”. Very straightforward. The next questions were easy to answer about the size of the structure, the size of the property and when it was built and by whom.
But the next question made me think – “Was the structure built and architected for the current use?” Mulling that one over it made perfect sense about the security of the building – it’s tied to the architecture and intended use. Think about it this way – if I’m trying to build a bank, I want to build it from the ground up to be a bank with all of the increased security that is needed. If I have a restaurant, it’s very hard (but not impossible) to turn it into a bank, but it is going to be expensive and there may be tradeoffs in making it a bank which makes it less secure than a building designed to be a bank. Adding bullet proof glass, a lobby and other security features can be done, but it may not be as good as a building as it was intended. I can decrease (not use) some of the security of the building, but I really can’t make it more secure unless it was intended to be that way. The same goes for other types of buildings.
This also very true with computer systems and environments. I can add security to platforms and environments to improve the security of them, but it may not be good enough as platforms that were designed to be secure in their architecture and design. This is part of the security mindset (“thinking” security) – it’s sometimes possible to add security to something, but it becomes “bolted on” rather than part of the original architecture.
The next section of the report was called “Environment” – these questions were to help understand the location of the building and what risks were around. The first question was “Where is the building located?” and the answers were “suburbs”, “city”, “farm” and “other”. The next question was the one that I was expecting – “How secure is the environment?” – rate on a scale of 1 to 10 with 1 being low risk and 10 being high risk. This would have been the first question that I would be asking if it were a computer system – how visible is the computer system to the Internet?
The next few questions went into assessing the value of the structure and what it contained (which would be different for a home or a business). These questions were to help define if I’m trying to assess someone’s home, a small restaurant/pizza place or a bank/jewelry store. The same process is used for computer systems to determine what the value of the data that the computer system contains – is it a web server, an email server, a database server or a desktop/laptop.
So far, Pete’s report was extremely thorough – it first started with architecture and how the structure changed from the time it was built – and then it started to assess the value of what it contained. This same approach is used to start the reconnaissance and assessment of computer systems. The first step is to gather as much information about the system – how it was built, what it contains, so that we can understand what we have to work with as we start the “what if” questions to understand its security. This will allow us to have the right level of security for the system given, how it was built and what it is used for and the visibility of the system.