Securing the CIRT: Walk the talk

Opinion
Jun 30, 20053 mins

* Practice the security you preach

For many months, I have been dipping into the Department of Defense CD-ROM called “Introduction to Computer Incident Response Team (CIRT) Management” in my series on CIRTs. This week I want to expand on a theme presented late in that course: the importance of securing the CIRT and more broadly, of using our own advice.

The course narrator very properly notes:

“Once the CIRT becomes known, it will be an attractive target for intruder attacks. A security breach at your CIRT site can be devastating to your reputation and have repercussions for the commands you support; in terms of security procedures, practice what you preach. You will need to provide solid physical, host, and network security in addition to appropriate staff training.”

He continues:

“A compromise of any data related to incidents can have legal repercussions as well as financial and credibility consequences. What types of data need to be secured? Incident reports, electronic mail, vulnerability reports, and even briefing notes and slides.”

More generally, all security personnel should be scrupulous in respecting security regulations and best practices.

I was just chatting before I wrote this piece with some security officers at a large corporation who were doing a due-diligence interview with me before approving enrollment for one of their employees in our graduate program. The questions centered around the confidentiality of company-specific information in the case study reports that the student would submit for grading during the 18-month program.

I explained that no student is expected to reveal his or her employer’s name or even location; that students use an internal e-mail address defined by our teaching platform and used on our access-controlled extranet; and finally that all of our instructors are themselves security professionals. I said that it is a matter of course for security professionals to be under nondisclosure whether a contract is signed or not – at least, to maintain a professional reputation. We all agreed that working in security eventually affects our behavior in a reflex way; we laughed that it’s almost impossible not to look away when someone enters a password on a keyboard.

Another example of practicing what we preach is backups. For a security professional to lose data because of a lack of backups would be intensely embarrassing.

I constantly urge my students to do backups of their schoolwork so that they never have to repeat what they have already done in case of a disk failure or a human error. Personally, I can demonstrate that I do a differential backup every day, clone my main computer’s disk to my laptop at least once a week (actually daily when I’m teaching undergraduate courses) and create a full backup to DVDs once a month. I’ve only had a few occasions over these last decades when I needed those backups, but the minor effort involved was more than repaid by the ease of recovery and by the ability to look someone straight in the eye when telling them how to protect their data.

We have to walk what we talk.