Five phases of security

This will hopefully start a mini-series on some thoughts around security. I don't know if they'll be daily, weekly, or neverly, but we'll see.

These days, everyone seems focused on preventing attacks on software -- predominantly through the use of firewalls and defensive coding techniques -- but there's more to life than just prevention. (On the Windows platform, many people are also used to detecting and removing malicious software through the user of virus or spyware scanners, and although users of other platforms may scoff at this and pretend it's just a Windows problem, it really is a problem for all successful platforms).

Let's take a look at how we might protect a house:

First of all, many people display a "This house protected by BigSecurityFirm" sticker on their front door or window as a way to deter attacks on the house. It doesn't really matter if the house is protected by BigSecurityFirm or not; many attackers will see that the house claims to be protected, figure it's not worth the hassle, and move on to the next (easier) target.

Assuming that the sticker doesn't act as a deterrent, the next thing that stops people is the lock on your door. It helps prevent people from entering the premises, even if they want to. Again, some attackers will realise that trying to atack the house is not worth the effort, and move on to the next house, which might have cheaper locks.

If the attacker is persistent, they may be able to compromise (or circumvent) the locked doors and gain entry into the house. This is when you're subscription to BigSecurityFirm comes in handy, because the alarm system will detect the attackers in your house and alert the authorities. It may also let the attackers know they have been detected, although not all alarms do this.

If the attackers get away with your shiny new VHS player (ha ha ha, I bet kids these days don't even know what that is! 🙂 ) your insurance policy helps you recover from the attack by providing a replacement VHS unit, re-keying your locks, and doing anything else necessary to put your house back in order.

And finally, the police can come to your house and use fingerprints, video surveillance, eyewitness reports, and other information to perform forensic analysis on the attack in an attempt to catch the attackers and learn how to prevent similar crimes in the future.

So to sum up for those who don't see the bold text, we have identified five phases for properly securing our house:

·          Deterrence

·          Prevention

·          Detection

·          Recovery

·          Analysis

My next entries in this series (if it ever gets off the ground!) will be to provide some thoughts on how we (we-as-in-developers, not just we-as-in-Microsoft) can incorporate these five phases in our software as well, in the hope that we might make it better.

Are there other phases you can identify? You could argue there was a phase that precludes the five I have listed -- motivation -- but this discussion presupposes somebody wants to attack you so I won't really talk about how to mitigate it (hint: get rid of everything you own and go live in a cave).

Comments (6)

  1. Darrell says:

    I have found a significant shortcoming on determining the business value around data. These include:

    – The lifetime of the data (data that is only active/applicable for 5 seconds does not need as long a key as data that will be around forever).

    – The cost of loss, both financial and intangible (loss of customer confidence).

    – The probability of loss.

    – Requirements for performance, functionality, and budget.

  2. Peter Torr says:

    Good points Darrell. Perhaps I can weasel this in as a meta-theme.

    One other thing to think of is not just how much you will lose in a successful attack, but also how much the attacker will gain. These can be very different values depending on the circumstances!

  3. Joe says:

    I think the Detection phase should be expanded to include active resistance. This is more than detection and what may/should come after/as alerts are sent out.

  4. Peter Torr says:

    Thanks Joe.

    I was actually going to lump that in with "prevention" (eg, part of an animal’s defences against beint hurt in an attack come from "fighting back") but you’re right, it does straddle the line. How can you fight back unless you’ve "detected" a problem? I guess in my original breakdown "prevention" covers stopping attacks (which may include detecting them to some degree) whilst "detection" covers detecting a successful attack. I’ll rethink it a bit more and maybe add another phase.

    Also, the more I think about it, the more "motivation" does play a part, but I’ll lump that in with "deterrence" as stated.

Skip to main content