so i was gonna just post some pictures and do a little ranting, but my good buddy is on the same page as me w/o either of us knowing it. he wrote up this blurb here, and i think it fits where my head is at right now...
so first the pics and rants, and then i'll see if i can thread this into a cohesive post... ;)
alright, so i found this sticker in a hotel in FL. i might be missing something here, but if i understand correctly, this is some type of "security control". it says, "this sticker must be on all vending machines, and if it isn't then call this number to get a reward!"... ok, so run that past me again. the florida legislature expects consumers to be vigilant enough to notice the absence of a sticker, and then also expects that the consumer has pre-recorded a hotline number so they can call when they see that the sticker isn't there? seems like it puts a large burden on a "user" to enforce compliance... i'm really not sure what this is supposed to solve anyway. perhaps these machines have a tax levied against them or something? i donno, if i was a crook, i think i'd just make a fake sticker, since there are no anti-counterfeiting devices to make it tough to duplicate...
i found this one out at a client site... i guess this is some type of passive-aggressive outreach program? i can't think of a better way to entice a potentially reluctant user to come forward with information than to imply that he/she is a pest, and that _really_ they shouldn't think they might be wasting your time or anything.
anyway, those both cracked me up...
so here's how i see this tying in w/ the jdm rant. in the oft-repeated words of my mentor, "security is a process, not a product." this means that we have to look at things (someone smack me for using this word) holistically. yea, it's great that you have a strong password policy and that you update your machines on patch tuesday, but you're shooting yourself in the foot by having all of your shares running everyone/full-control and leaving that script you used to set your new local admin passwords out where anyone can stumble over it.
i don't really agree that user education is the first place we should look to make things better. security is a frame of mind, and some people just don't think that way. kinda like how some people are great at algebra but suck at geometry and trig, or vice versa. it is a monumental task to try to get tens or hundreds of people to change their innate way of thinking. again, to paraphrase my mentor, why should i give them the choice to do the right or wrong thing? i'd much rather take away their ability to make mistakes. if, for technical or political reasons, you can't stop them from making mistakes, then try to make the mistakes as hard and/or painful to make as possible.
it isn't our job to bring people around to our way of thinking, so they can navigate treacherous waters safely without us. our job is to create systems and processes that keep our users from knowing that they are in danger. our job is to teach them not to put their hand on the red-hot burner on the stove, but we can't expect them to have full comprehension of a subject matter which we devote our careers to.
every day when you drive your car you engage in one of the most potentially lethal activities you'll ever undertake (unless you're a cop or a soldier, etc). and yet millions of people do it w/ complete ease every day. they do it without a care in the world. they do it while talking to friends and loved ones. they do it while putting on make-up, and eating, and sometimes reading a book. (note that these people help make it more dangerous for the rest of us ;) they engage in this activity because we have a series of processes that give them comfort. they have a seatbelt snugly around their bodies. they believe that if there were a crash, airbags will deploy and keep them from harm. there are general rules for use of the road, and these rules are loosely enforced by trustworthy individuals who keep the most dangerous among us from causing too much damage.
here we have an extremely high-risk activity which is well managed. we have a general barrier for entry (age, license testing, and insurance requirements), and we have pain for non-compliance (tickets, revocation of privileges, raising insurance rates, and jail time). there will be crashes, and there will be fatalities. but for the most part, these loose controls keep the herd in line, and manage the risk well enough that business can continue.
a 2U box in a rack can't devise a system like that for your org. instead of dropping thousands or hundreds of thousands on security hardware, hire someone who knows what they're doing and what to look for to come in and look over your environment, and then _implement their findings_. if you can swing it, hire them on full time. a real infosec ninja can do more benefit for your org w/o spending a dime than any appliance will ever be able to provide. that's the good news.
the bad news is that it isn't nifty hollywood hacker shit. there are no uber-replicating bunny viruses we can fight on the monitor in real time, and unfortunately we never get to see angelina jolie removing hawt leather clothing in the course of doing our jobs. no, when it gets right down to it, and when you cut out the mystique, our jobs as infosec professionals can be kinda tedious. we're managing risk. we're weighing possibilities and guessing at attack vectors. what is the biggest bang for the buck i can get improving your security? what is the most likely compromise? how much will it hurt you if incident X occurs, and how can i reduce the likelihood that it happens?
in this business, we can only make you as strong as your weakest link. if you're only going through the motions w/ infosec, if you're just looking to check that checkbox and get back to "real" work, then we can't help you.
Subscribe to:
Post Comments (Atom)
1 comment:
Stupid checkboxes for complianc -- that's the key: passing those stupid tests. It really upsets me when I see someone falsify those checklists. When will it change?
Post a Comment