Because I'm all about the "good enough."

Friday, January 13, 2012

Eating the security dog food.

I kept meaning to get back to Rafal Los's post on "The God Complex" -- and answer his question.

Are you an exception to your own security policies?
To which my answer is (was): no.  In fact, as a CISO I tried hard to follow every policy.

Why?  Because if it was too annoying for me, if it kept me from getting something important done, then it was probably obstructing other people too, and I should change the policy.

Admin rights?  There should be policies governing their access too -- arguably even more of them, because the more access you have, the higher the standard you should be held accountable to.  For their own protection as well as that of the users, admins should be able to demonstrate that there are checks on their powers and activities, and that they can be open about what they're doing.  It's harder to be accused of nefarious activities if you are completely above-board, show that you're willing to be subject to appropriate limits, and make a point of relinquishing any sole powers you might have.  Call it CYA, call it leading by example, whatever.  It's ethically important.

Not only is it the right thing to do, but it also helps in user relations.  A lot of security is about telling people that they're Doing Something Wrong.  And if you're going to be telling them that, then you'd better be doing things Right yourself. 

Now, constructing things so that everyone has accountability checks all the way up to the top can be harder than you think.  It can end up being "turtles all the way up," so to speak.  In every organization there's going to be an Ultimate Decider, and the Ultimate Decider is always someone who is too busy to do that deciding.  He or she will want to delegate parts of that responsibility back down the chain, leading to conflicts.  For example, someone can end up being deputized to submit and approve requests rather than having those broken up into separate duties, or be empowered to monitor the activities of their own bosses.  Sure, there will always be exceptions to policy, but the point is to design them so that they still have checks and balances on them -- not to ignore them and let them be gaping holes in your controls.  They need to be documented five ways from Sunday, approved by as many people as you can hunt down, and changed back to normal as soon as they're no longer necessary.

I'm sure everyone agrees that those with power need to be held accountable for that power, whether it's a government executive, law enforcement officers, the military, or any other person in a leadership position.  In security, you don't need to be a leader to have power, but you still need to be conscious of what you can do, how someone could abuse it, and how you can make sure you're not the one who will do the abusing.  You've got to protect the enterprise from external and internal threats, but one of those threats is you.  Go look in the mirror and start threat modeling.

Why we still need firewalls and AV.

It's become trendy to talk about how ineffective some commoditized security products are, classic firewalls and AV being the poster children for this.  One of Josh Corman's favorite points is that "we never retire any security controls."  But as fond as I am of Josh, I think he's wrong in his implication that we should.

Let's take my firewall.  (Please.)  It's still blocking what it's supposed to block; it's just that the ports that I need to leave open (such as 80 and 443) are now carrying all the traffic as a result, and those protocols are being used to tunnel attacks these days.  The firewall is doing its job; it's just that the job is no longer as sufficient as it used to be, back in the '90s. 

In the same vein, we still have umbrellas, even though they're not terribly useful in a hurricane.  Nobody would tell you to throw away your umbrellas because they're "ineffective" -- nobody, that is, except the maker of a Next-Generation Umbrella.  (And while we're on the subject of umbrellas: I really hate it when firewalls are described as stopping "millions of attacks per day."  An umbrella isn't rated by how many raindrops it blocks and how wet you didn't get every day. A probe shouldn't count as an attack; it's just a raindrop to a properly configured firewall.)

Now, it's important for a consumer to understand the limits of the umbrella and not to believe that it will stop someone from getting wet in a hurricane.  It's also important for consumers to know that even if the chance of a hurricane in their area is small, there are still tornados, sideways winds and Advanced Persistent Puddles to contend with, and they should plan accordingly.  They shouldn't pay a whole lot for an umbrella that is not going to protect them in all use cases.  But it's still useful for what it does well.

The functions that classic firewalls perform are so commoditized that they're tucked into just about everything right now; I could wear them as earrings if I felt like it and someone made the right form factor.  In the future, it should be a given, and therefore not worth marketing.  But we will always need that functionality for as long as we have network traffic that doesn't automagically inspect and block itself.

Same thing goes with anti-virus.  It's necessary but not sufficient, and it ought to come in every cereal box, not as a standalone product that will completely solve any given problem.  Classic viruses are still out there, and they still need to be stopped, but advances in anti-malware, anti-phishing and other forms of automated defense still continue to pick up where classic AV leaves off. More sophisticated inspection and detection methods need to be developed, but that's a universal problem in security.

My belief is that users need education, not exhortation to throw out perfectly good controls that just aren't covering as much of the attack space as they used to.  They need to know what each security product will and won't protect, and they need to understand this in a non-technical way, just as people have learned over time that air bags plus seat belts are better than seat belts alone, without needing to know the mechanics of how they work, and without having to do threat modeling when they buy a car.

So if you don't agree with me, and you've really stopped using these products, I'd love to hear about how you're addressing those classic threats, and what controls you replaced them with.  (You don't get any points if the threats don't apply to what you're using; of course your toaster doesn't need AV.  But your smart meter just might.)

Friday, January 6, 2012

Well, that was unexpected.

I have to thank whichever sneaky judge it was (and I have my suspicions) who nominated this blog for a Social Security Blogger Award.  Honestly, I only started the blog when I did because I figured it would be disqualified on account of my being a judge as well; obviously I didn't read the fine print.

But there are a lot of great nominees out there (I should know; I picked some), and although I won't be at RSA myself, I'll be watching the bitwaves to see who ends up buying the drinks later that night at the Irish Bank.