Is Jericho something new happening or just a description of what is happening?
Apr 19th, 2009 by Jesper Kråkhede
During a meeting I was told that many customers in UK view Jericho documentation as only a description of what is happening, not a toolkit for actually solving the security problems that arises. When thinking of it they may be correct in some sense. The documentation is rather high level and is not technically useful in its current state.
The Jericho books should be perceived as a mindset for someone working within the field of security to understand and live by. Jericho does not say that you should not use firewalls, nor does it say that your security solutions should be enterprise wide. What it gives is a way of thinking of the risk that could arise and a high level templates on how to solve these problems.
Let’s look at a brief example: Publishing of a yearend report on your website. This document is very sensible up to a certain point where it becomes publicly available. For security reasons you have not put it on your website yet but kept it on the fileserver. In one way or another it leaks out and de disaster happens.
If you where to work perimeter security style security you would most probably make sure you had firewalls, virus protection, the correct Access Control Lists, hard drive encryption and backups of the document stored in safe places. Hopefully you have a risk analysis showing the risks connected to your solution.
Jericho style security takes the approach of appropriate security in the right places; hence a risk analysis built on more the just infrastructure. It needs to be information centric. Secondly identity has to be established to make sure that everything that needs to be logged is logged. Thirdly secure development should be done to make sure that applications that are used are not vulnerable for attacks. Within this I also include ordinary patch management.
And so on…
What is the difference? Jericho takes on a bigger and more holistic approach to security. Jericho also focuses on using a more value based security; hence calculating asset values, ROSI-models and security layers.
So from my point of view Jericho should be used as a way of thinking holistic and a review model and not as a recipe. Depending of the risk analysis different solutions could be implemented where the problem seem to be the same.