Both sides of security

Posted by sam Sat, 20 Sep 2008 14:33:00 GMT

After a recent discussion, I realised that as a techie my take on security might be a little skewed. I used to subscribe to the industry journal SC Magazine, which used to arrive and make it’s way promptly to the office toilet to be added to the pile of, er, break-time reading.

Typically for trade publications it was pitched at the CTO level, and was essentially a glossy sponsored advert for various boxes that could be plugged into the network and automagically solve all network ills, complete with nicely priced support contract.

I used to be quick to distain this type of publication as simply box-shifting nonsense, reasoning that real security was to be found in my iptables configuration, SSH keyrings and carefully crafted ACLs. It’s temping to think about security as a configuration task. One that’s a process that must be continually reviewed, but a technical configuration task nonetheless.

A number of years ago I assisted with a drive to bring a hosting service up to scratch and compliant with BS7799. That security standard has now been ratified by the ISO as ISO/IEC 27002Information technology - Security techniques - Code of practice for information security management.

ISO Logo

Whilst a little painful, the exercise exposed a few glaringly obviouis and not-so-obvious failings in the way the company conducted itself in terms of security. If you take the time to read over the outline of the standard you may find that you’re doing quite a bit of the required work without even knowing it. By taking a few short steps and submitting to the formal certification you’ll gain extra confidence that you’re following industry best-practice, and can pass this assurance onto your clients.

For example, got a DR site? You’re well on your way to satisfying section 11 of the standard: "Business continuity management". Tied your Solaris authentication into your Windows Active Directory LDAP tree and adopted a change and review procedure to altering access? You’re well on your way to satisfying section 8.

I’ll wager that most shops that are already managing their systems in a sensible way would not have to put too much extra work in to get a bona fide certification that you’re doing things the right way.

Of course it should be remembered that a framework such as ISO/IEC 27002 is just that. It won’t tell you how to configure tcp wrappers, it won’t protect your private SSH keys and it won’t make sure you’ve patched everything under the sun to not use sequential transaction IDs and/or source ports in DNS requests.