Compliance is a Dead-End

Compliance is aimed at one thing: limiting risks to the organization that writes or enforces the standard.  How’s that for “Bottom Line up Front” writing?

I’ve been a critic of approaching FISMA with an eye toward compliance, and I just recently started to look at PCI.  I’ve started to come around to a different way of thinking.  It all makes perfect sense for the people who write or enforce the standard–they’re cutting their losses and making the non-compliant organization take the blame.  It’s risk management done in a very effective Macchiavellian style.

For an organization looking to improve their security posture, taking a compliance-based approach will eventually implode on itself.  Why?  Because compliance is binary–you are or you’re not.  Risk management is not binary, it’s OK to say “well, we don’t meet the standard here, but we don’t really need to.”

If you base your security on compliance, you are spending too much of your time, people, and money on places where you shouldn’t be, and not enough on where you should be.  In engineering words, you have had your solution dictated to you by a compliance framework.

The endgame of all compliance is either CYA, finger-pointing, or both.  Look at how data breaches with both PCI and the government get spun in the press: “$Foo organization was not compliant with $Bar standard.”  As Adam Shostack says, “Data Breaches are Good for You”, the one caveat being “except when you are caught out of compliance and smeared by the enforcers of the compliance framework”.

I remember a post to the Policy, Standards, Regulations, and Compliance list from Mark Curphey back in the neolithic age of last year about “Do organizations care about compliance or do they care about being caught out of compliance?”  It makes more sense now that I look at it.

On the other side of the coin, what I believe in is risk management.  Risk management realizes that we cannot be compliant with any framework because frameworks are made for a “one size fits all” world.  Sometimes you have to break the rules to follow the rules, and there isn’t room for that in a compliance world.

• When Acceptable Risk is Not Acceptable
• Core Belief #2 — Risk Management Uber Alles
• My 2 Obsessions this Week
• Dictating Common Sense
• An Open Letter to NIST About SP 800-30

Learn Something from the Cavalry

Remember the old westerns?  The US Cavalry always comes riding over the hill just in the nick of time and rescues the hero ala deus ex machina.  It’s almost uncanny how the cavalry manages to show us their sense of timing, but if you’ve ever known or worked with the cavalry, they plan it that way–they’re the first well-known proponents of Just-In-Time methods.  Bear me out, and I’ll explain this grandiose statement.

According to the cavalry article at Wikipedia, the cavalry (more specifically, the light and medium cavalry) has the traditional roles of scouting, screening, skirmishing, and raiding.  When they engage, they pick the time and place to engage, and that gives them local numerical and firepower superiority when overall they have a disadvantage.

So think back to the Battle of Gettysburg.  It’s a classical meeting engagement between 2 19th-century armies.  You’ve got the Union Army on one side with very active cavalry under Brigadier General Buford scouting out ahead of it.  He sees the Confederate Army and choses the time and place to engage them in order to delay the Confederates and give the Union Army time to occupy the high ground South of Gettysburg.  The rest by now is well-known–the Union Army defeats the Confederates by defending the high ground and turns the tide of the war.

How does the cavalry master time and space?  They have some advantages that can be summed up in one sentence–they conduct reconnaissance activities in order to mass at critical points and times.  In other words, they know how to prioritize and it gives them an advantage on the battlefield.

One other thing that the cavalry realizes is the concept of friction.  It’s not a new concept, Clausewitz uses it quite frequently.  But it does make sense if you’ve ever gone to war:  things are never the best-case scenario.  Attack times get delayed because Private Smith left the tripod mount for the M240 in his ruck sack.  We can minimize friction to a manageable level, but it’s still present in even the best-planned and best-executed mission.

In information security management, we’re trying to accomplish the same thing.  We use metrics as reconnaissance to find out the times and places to mass our forces.  We use risk management and triage techniques in order to prioritize our scarce resources to engage and destroy the superior enemy.  We account for friction by having a layered approach–if you will, defense in depth.  We use our local advantage in order to shape the remainder of the business engagement.

Yes, we have much that we can learn from the cavalry.  And in the end, we might ride over the ridgeline just in time to save the day.

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• The Long Tail and Security Posture
• Reading Between the Letters G, A, and O
• Ack! With the Mandates!

Risk Management Above All

I have people come to me all the time relating something to what they want to do with whether a particular system has been certified and accredited yet.  My answer is almost always “I don’t care about C&A, I care about risk management!”
I’ve worked on projects where my goal was, if I accomplished anything else, I was going to teach the team how to do risk management.

Why is risk management so important?  Well, for starters, you need to go into information security management knowing and accepting the following facts:

• Fact: There is always a shortage of money
• Fact: There is always a shortage of people
• Fact: There is always a shortage of time
• Fact: You will always have shortages because if you have enough resources for security, you slow down progress on the business end.

Let’s look at a related scenario from a different industry — a hospital emergency room — for some insight.  They deal primarily with time and people, and they only have so many resources to manage.  That means that they have to prioritize who gets helped first.

Inside of the emergency room, they have a pretty well-established process to determine who gets the help first.  They perform triage to evaluate and prioritize patients into categories then they treat the worst first.

Sounds like risk assessment and risk management, doesn’t it?  Good information security managers know how to do triage.  That’s how you budget out your time, people, and money.  The rest is basic project management skills.

• Core Belief #4 — Compliance is a Dead-End
• Core Belief #3 — Learn Something from the Cavalry
• Another Day, Another Vendor
• Core Belief #1 — Security is not Different
• My 2 Obsessions this Week

I was downtown teaching at the City Club of Washington.  It was my favorite day of the series: Security Test and Evaluation and Risk Management (SPs 800-42, 800-53A, and 800-30).

Earl Crane of ISM-Community fame came jumped in at the last minute (I called him the day before) and gave a good hour worth of presentation on Google hacking and the government.

One thing about the Potomac Forum FISMA Fellows program that is very important to understand:  It’s only for government employees.  The only contractors present are the instructors.  That means two things:

1. We can teach at a very surprising level of depth because we’re not training our competitors.  It leaves the instructors with a bit of a bad aftertaste when you’ve trained somebody to “eat your lunch”.  By restricting the participants to government only, I can teach people exactly how I do things and give them examples to take home in a binder.
2. Students can talk about particular scenarios in their agency without worrying that the information will go anywhere that it’s not supposed to.  There isn’t any press allowed, and no contractors trying to profit from your misfortune (I’m the world’s worst salesman).

Notice the need in there?  Each government agency is siloed into their own little information security management world and there isn’t really a community of peers among the practitioners.  That’s the niche that the FISMA Fellows program is addressing.

Secretly (Maybe not so secretly because it’s now public knowledge), I love it when people come to my classes and then go back to their agency where they become the “this is how you do it right” gadfly.  From time to time I wonder how many people hate me, even though they haven’t met me, simply because I taught their employees how to be a royal PITA.  The smart ones don’t hate me–they keep sending more people to be trained.

• Speaking Again
• FISMA Fellows Spring Cohort
• NIST Framework for FISMA Dates Announced
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!
• C&A Seminar, October 15th and 16th

We did a very preliminary Pandemic Flu Exercise today.  Normally, I wouldn’t be too much worried about things like this when it comes to IT security during a pandemic–we just close out the lights and if the servers die, we’ll fix them after the dust has cleared.

But my organization has a difference from the average IT service provider:  we support the first responders from the US Government who need their IT systems up and running in order to get the knowledge shared and the cure to the right places when it’s needed.  It’s such a different business driver from normal that I had to pause and think it over the first time I heard it.

So today we did a partial VPN and telework test from another facility.  All told, it involved about 30 people.  In a couple of weeks, it’s “Global Work-From-Home Day”.  One lesson learned:  It’s the little things that will get you, like laptop screen real estate and network cables.

Now those of you who know me realize that I’m not that squeamish.  However, I did have a 30-second bout of panic when I thought about mass death where everyone in my apartment complex dies out in a pandemic flu.  Then I got over it. =)

Like I told my boss, it’s just like the consolidate and reorganize task that the infantryman trains on–restaff key positions and weapons systems, deal with the wounded and dead, communicate to higher, and continue the mission.  Now that I can handle.

• In This Corner, the Business Reference Model
• Lines of Business, Relationships, and Trustability
• Core Belief #3 — Learn Something from the Cavalry
• DDoS Planning: Business Continuity with a Twist
• Some Comments on SP 800-39

I’ve had 6 incidents over the past month.  Nothing earth-shattering, but it makes me wonder why so many, when I’ve been relatively quiet incident-wise for the past 6 months.

All things considered, there are 2 reasons why I’m investigating more incidents lately.

First cause is personnel turnover.  We’re a managed services provider, which means operations.  Typically, most of our slots are for entry-level server and network administrators.  We have had a high level of turnover in the past couple of months.

Second cause is me.  People now know to come to me when they suspect a security incident–my shameless internal self-promotion is working somewhat.  That means that out of the 6 incidents, there were really only 3 that were valid, the rest were just suspicious activity.

• A Visit from DCAA
• Carnegie Mellon’s Guide to MSSPs
• Turning Routers into Firewalls
• GSA Looking for a Few Good Tools
• Categories of Security Controls in Outsourcing