Security is not Different

Basic fact:  If you give an engineer a set of requirements, they will build to them, whether they are functional requirements or security requirements.

Basic fact:  Businesses use metrics to determine the effectiveness of anything that they do and to assist in making cost/benefit/risk comparisons.  Channeling Jacquith for a moment here, why should security be any different?

Basic fact:  What is the dividing line between quality IT management and quality IT security management?  There is so much crossover that, from what I hear, ISACA tells you you can let QA people serve in some security roles.

Basic fact:  Good project managers do risk management for their project.  Security just adds a different set of considerations.

Basic fact: It all comes down to economics and personnel management, just like  construction, running a restaurant, or engineering a 3-tier major application.

Basic fact:  As an information security manager, I spend 80% of my time doing one of two things–either personnel management or basic project management.

And yet, why do I have people telling me constantly “I can’t do that, I don’t know security”???  One of my core beliefs is that security is not different from anything else, and that as long as we as security practitioners keep some kind of mystique about what we do, it will continue to be a “black art” that nobody else thinks they can do.

• Do You “Do It” or Do You “Get It”?
• Core Belief #4 — Compliance is a Dead-End
• Mike’s Guide to Information Security Policy
• Observations on PCI-DSS and Circular Arguments
• Core Belief #2 — Risk Management Uber Alles

It’s a little-known secret that will get out fairly quickly:  I hate security policy.  I hate writing it.  I hate having to live with other people’s security policy that is just a rehash of the NIST guidance in new packaging.
In light of this, I’m offering up to the world “Mike’s Guide to Information Security Policy”.

First, policy only works when it’s grounded in reality.  That’s why, just like Ludwig Mies van der Rohe, I believe that “less is more”.  Something big and theoretical is OK, but what the server team manager needs is a “how-to” process and checklist for firing an employee without creating an incident.

My policy framework looks roughly like this:

1. Overview:  We like information, it helps us do our job.  The CISO is responsible for creating policy.  Senior Management signs the policy.
2. Risk Management:  We will make cost/benefit/risk comparisons.

The rest is details, and it’s easy to have a skeleton for each control family from whatever framework you want–PCI, 800-53, SoX, 7799, etc.  I use 2 frameworks: 800-53 and ITIL, although sometimes I run into other areas that are normally QA.  I’m not the ITIL policy person, but I realize that if I want to succeed at the information security approval at the Change Control board, I need a Technical Review Board and an Engineering Review Board.  That keeps me from denying changes at the last minute because if I do that, I hurt the business end.  I would rather shape the change further upstream so that it becomes easy to approve at the end of the process.

My rule of thumb on policy is that if I have to make a decision on something 3 times, then it needs to be written down in a policy because there are more people that need to ask but haven’t.

• Response to “What is Information Assurance – The Video”
• Yet More Security Controls You Won’t See in SP 800-53
• Security Assessments as Fraud, Waste, and Abuse
• Some thoughts on QA
• An Open Letter to NIST About SP 800-30

How do you dictate common sense?  That’s the real heart of the problem that people who build compliance frameworks have to struggle with.  You can’t force people to do the right thing when the right thing is not easily definable.

This is why I’m convinced that compliance just doesn’t work for what we are trying to get it to do in the information security world.  You run the risks of either leaving too many loopholes that people can get through too easily, or you end up dictating the solution for people with no flexibility.

About the only way where compliance makes sense is in a very limited scope in much the same way you would use a SLA with an external vendor.  In this case, the compliance rules or a similar SLA are a compensating control for the risk to the buyer.

• The Vendors are Already Jumping on the 07-11 Bandwagon
• In Search of a Better Catalog of Controls
• Core Belief #4 — Compliance is a Dead-End
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Cloud Computing and the Government

JD Meier wrote today about not saving the worst parts until last, and it reminded me of Meals Ready to Eat (MREs).  I should probably lay claim to being the Northern Virginia Master of Obscurisms right now while I have your attention, but let me elaborate for a minute.

A case of MREs is 12 individual meals.  That means that one person can, by the book, live off one case of MREs for 4 days assuming that they eat 3 times/day.  That’s a little excessive, since most people can only eat 2/day because of time constraints.

Inside a case of MREs, there are 12 individual meals.  Some are decent, like spaghetti or tuna with noodles.  Some are not, like omelette with ham or corned beef hash.  Keep this in mind, we’ll be using this little kernel of knowledge later.

So imagine this:  You’re out in the woods for 2 weeks with just your 5-member team and your MREs.  Let’s do the math on what you’re eating:

5 people x 14 days x 2 meals per day = 140 individual MREs or roughly 12 cases.

Now inside each case of MREs there are 2 foul-tasting MREs (omelette and CBH), which means 24 of them total.  If the muldoons eat their favorite MREs first and work down the cases in order of most favorite to least favorite, then the last 3 days we are eating nothing but omelette and corned beef hash, and after being in the woods for 2 weeks, I just can’t bear it anymore.

Bad news does not get better with age.  Neither does the MRE selection!

Moral of this story:  Take the MRE that I throw at you and don’t read what the label says, it’s the luck of the draw.

Secondary moral of this story:  You can’t store up badness and expect to tackle it later.  You have to take it as it comes.

Tertiary moral of this story:  Don’t join the army or work in IT. =)

• Bad Security People
• Cult Crossovers Into Information Security
• When the News Breaks, We Fix it…
• Core Belief #3 — Learn Something from the Cavalry
• MOUT and Risk Management

So it’s that time of the decade again.  I have to fill out more clearance paperwork.

I absolutely hate this stuff.  It has so many hidden undertones, like the neocons want to weed out anybody who doesn’t fit neatly into 5 sheets of “where have you lived, what have you done?”  Or they wanted to punish anybody who has moved around like the military makes you do.

• For example…. how do I find people living in Eugene, Oregon who don’t hate my guts?  Oh yeah, I need to remember 3 of them because I lived in 3 different places in that town.
• And then again, why did I change residences so much between 1999 and  2002?  Let’s see, got out of the army, went to school, and became a victim of Web 1.0.
• Marital status is fun.  You can be either married or divorced, but not at the same time.  I guess I’m supposed to forget those 9 years.

If you really squint and read between the lines, it’s a conspiracy plot against anybody who doesn’t “fit the mold”.  The really scary part is that these are the same people who society depends on to actually create something instead of rehashing the same old tired ways.  Everybody who as innovated is in some ways a rebel, it comes with the territory, so to say.  If you look at the Soviets, they had a love/hate relationship with their scientists.  When they needed innovation, it took relaxing of the social rules.  The nuclear program is a good example.  But then when the scientists got too self-assured or they didn’t need creatives anymore, then it was gulag time.

I think that ultimately it comes down to an interesting factoid:  The psychological profile between most good/talented security people and computer criminals is very much the same.  Think about it–I’m the one guy that they always put in the personnel security handbooks to look out for: the guy who is highly talented, doesn’t have many friends, overlooked for promotion, in a position of high responsibility, has nobody watching them.  The only real difference is that I have a sense of right and wrong, and that’s hard to show up on a questionnaire.

On a side note, I hope a future employer reads my blog some day.  Their one comment will be along the lines of someone who will remain nameless: “Dude, you are obsessed with fish!”

Now that I’m done with this stuff, where did I put my copy of The Shockwave Rider, Ender’s Game, and Catcher in the Rye?  I need a little subversion after exposing my life to The Man.

• Tangling with the Clearance Monsters
• How to Not Let FISMA Become a Paperwork Exercise
• Bacn–It’s Cooked Spam
• Some Thoughts on Comments to My Blog…
• Personnel Turnover

“At some point, all activism devolves into self-loathing.” — Mike Smith

You learn these things when you live in Eugene, Oregon.  I was utterly shocked the first time I saw treesitters driving a brand-new Yukon.

• Clearance Paperwork
• My Favorite Conspiracy Theory
• Simple Thoughts on Simple Rocks
• Self-Quote Time
• Being the Resident Curmudgeon