Home > Security Channel Tips > Security Channel Issues & Commentary > Diagnosing security problems: Always look for the root cause
Security Channel Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

SECURITY CHANNEL ISSUES & COMMENTARY

Diagnosing security problems: Always look for the root cause


Adam Rice
09.18.2007
Rating: --- (out of 5)


Security Channel Update
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Security problems within an enterprise are almost always the result of a failure within the organization's IT operational procedures. By focusing on the problems and not the underlying cause of their existence, security professionals fail to provide their customers with all the arrows in their quiver to get ahead of the curve in security.

As IT security professionals it doesn't take much to become jaded to the problems we discover on our customer's networks. I often say "I cannot believe it!" after seeing what amounts to stupid errors that leave companies at huge risk. But the tactical problems are almost always the symptom of a broader IT operational problem. People who do not run a tight ship operationally usually do not have a good security practice organizationally. It sounds obvious, but many times the people who hire us to analyze their infrastructure are not necessarily the same people who manage it, and those same people are more technically focused than organizationally focused.

IT security is a dynamic endeavor. What was secure yesterday might not be secure tomorrow. What is secure on one platform might not be fine on another. Due to security's dynamic nature, to manage it, your customers must have a comprehensive understanding of their environment, and have a formal and documented procedure to deploy it, and to mange change within it. Without knowing exactly what their network and its entire components look like, they cannot manage change on it.

A sustained secure network is the product of the following formal, written, adhered-to operational procedures:

Often times, security problems can be traced back to weaknesses in these procedures, which, if not addressed, can cause further problems down the road. If you are conducting an assessment and find problems with an organization's security, take a wide view of the IT department and look at how they conduct business. Check for formal, written procedures, enforcement of


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Security Channel Issues & Commentary
The pros and cons of offering specialized security services
PCI compliance: Web application firewall vs. code review
How to leverage integrated security and storage
Making the most of selling antivirus services
Should VARs embrace the monoculture?
How to recession-proof your information security business
Top five security service provider tips of 2007
How to maintain healthy relationships with small security vendors
Incident response services: A five-step program for security VARs
Find the best security engineers for your managed services

Information Security Service Provider Concerns
Survey: Financial services sector may soon start spending on security
HP partners with Fortify Software for secure application lifecycle offering
New IBM-Avaya partnership to cover unified communications security
AirPatrol launches wireless security partner program
IBM launches social networking community for partners
Kaspersky Lab and Juniper Networks extend affiliation
SonicWall announces new managed service provider program
Merging the channels: McAfee and Secure Computing half a year later
Offering cloud computing security services to customers
Event log management programs boosted by standards, survey finds

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


policies, and most importantly, change control. When you're hired to do an assessment, a formal review of the administrative controls is usually not in scope, so ask the tactical engineering teams if they have change control, configuration management and a security policy. They are the people who implement and manage the network, so if they have not heard of them, it really does not matter if they exist or not.

When I write a report of findings for a security assessment, a penetration test or other technical security review, I include a section called Root Cause Analysis. In my experience the majority of the time the paragraph is the same: the organization does not have or does not enforce strong IT operational procedures, which always leads to the corresponding security problems. I re-enforce this finding in the executive summary and make it an explicit part of any discussion with the customer. I also state that although I didn't formally review the procedures for completeness or accuracy, based on the findings and discussions with the engineering staff, it appears that there is a weakness. I tell them that without an examination of the root causes of the findings, they might remain in a reactive mode, rather than getting a handle on the laundry list of "To Dos" that come with a security assessment.

Root cause analysis adds little time to an assessment but lots of value your customers. They will appreciate that you are adding a dimension to your reports that give them a direction and path toward fixing the cause of their problems, not just a list if issues that are the symptom of their problems. Remember, repeat business comes to consultancies that add a tangible value to their customers, and root cause analysis does exactly that.

About the author
Adam Rice is a Manager at VeriSign'sGlobal Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.

Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.


Rate this Tip
To rate tips, you must be a member of SearchSecurityChannel.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts