Diagnosing security problems: Always look for the root cause

Security problems within an enterprise are almost always the result of a failure within the organization's IT operational procedures. By focusing on the problems and not the underlying cause of their existence, security professionals fail to provide their customers with all the arrows in their quiver to get ahead of the curve in security.

As IT security professionals it doesn't take much to become jaded to the problems we discover on our customer's networks. I often say "I cannot believe it!" after seeing what amounts to stupid errors that leave companies at huge risk. But the tactical problems are almost always the symptom of a broader IT operational problem. People who do not run a tight ship operationally usually do not have a good security practice organizationally. It sounds obvious, but many times the people who hire us to analyze their infrastructure are not necessarily the same people who manage it, and those same people are more technically focused than organizationally focused.

IT security is a dynamic endeavor. What was secure yesterday might not be secure tomorrow. What is secure on one platform might not be fine on another. Due to security's dynamic nature, to manage it, your customers must have a comprehensive understanding of their environment, and have a formal and documented procedure to deploy it, and to mange change within it. Without knowing exactly what their network and its entire components look like, they cannot manage change on it.

A sustained secure network is the product of the following formal, written, adhered-to operational procedures:

Often times, security problems can be traced back to weaknesses in these procedures, which, if not addressed, can cause further problems down the road. If you are conducting an assessment and find problems with an organization's security, take a wide view of the IT department and look at how they conduct business. Check for formal, written procedures, enforcement of

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Channel Issues & Commentary The pros and cons of offering specialized security services PCI compliance: Web application firewall vs. code review How to leverage integrated security and storage Making the most of selling antivirus services Should VARs embrace the monoculture? How to recession-proof your information security business Top five security service provider tips of 2007 How to maintain healthy relationships with small security vendors Incident response services: A five-step program for security VARs Find the best security engineers for your managed services Information Security Service Provider Concerns Survey: Financial services sector may soon start spending on security HP partners with Fortify Software for secure application lifecycle offering New IBM-Avaya partnership to cover unified communications security AirPatrol launches wireless security partner program IBM launches social networking community for partners Kaspersky Lab and Juniper Networks extend affiliation SonicWall announces new managed service provider program Merging the channels: McAfee and Secure Computing half a year later Offering cloud computing security services to customers Event log management programs boosted by standards, survey finds

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

policies, and most importantly, change control. When you're hired to do an assessment, a formal review of the administrative controls is usually not in scope, so ask the tactical engineering teams if they have change control, configuration management and a security policy. They are the people who implement and manage the network, so if they have not heard of them, it really does not matter if they exist or not.

When I write a report of findings for a security assessment, a penetration test or other technical security review, I include a section called Root Cause Analysis. In my experience the majority of the time the paragraph is the same: the organization does not have or does not enforce strong IT operational procedures, which always leads to the corresponding security problems. I re-enforce this finding in the executive summary and make it an explicit part of any discussion with the customer. I also state that although I didn't formally review the procedures for completeness or accuracy, based on the findings and discussions with the engineering staff, it appears that there is a weakness. I tell them that without an examination of the root causes of the findings, they might remain in a reactive mode, rather than getting a handle on the laundry list of "To Dos" that come with a security assessment.

Root cause analysis adds little time to an assessment but lots of value your customers. They will appreciate that you are adding a dimension to your reports that give them a direction and path toward fixing the cause of their problems, not just a list if issues that are the symptom of their problems. Remember, repeat business comes to consultancies that add a tangible value to their customers, and root cause analysis does exactly that.

About the author
Adam Rice is a Manager at VeriSign'sGlobal Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.

Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.