« Recent Reading (Books) | Main | Today is Helio Gracie Day »

Hotel Showerheads

If you've done a fair amount of traveling, then you've inevitably noticed the wide variety of showerheads in showers throughout the country (and possibly the world). For as simple as the function needs to be, it's remarkable to me just how complex some of these devices can be. There are now showerheads with a dozen or more variations available, which seems rather odd to me given that really all you want is a steady stream of water to soak you and rinse you when the time comes.

In thinking about this in the shower this morning, on the road yet again and wondering how to work the overly complex - and partially functioning - showerhead in front of me, it occurred to me that the security industry is often much like these showerheads. In many ways, we have a tendency to grossly overcomplicate things when we're failing at the most fundamental practices. This is not to say that we should throw away the tech that we have a revert to sticks, stones, and fires in front of offices, but it does seem to me that if we can't get the basics right, then what makes us think we can get anything else right?

This line of thinking of course begs the question as to what exactly are, or should be, considered fundamental security practices. What are the basic features of a security function? Undoubtedly, the answer is varied depending on your perspective, but it seems to me that, at a minimum, security should include: primitive risk management, basic assessment, general training & awareness, and basic policies and standards. Each of these covers a key area within infosec that, without which, we end up seeing a lot of churn and general fail.

Primitive Risk Management
Though perhaps not your starting point, you need a primitive degree of (information) risk management program underpinning any security program. At it's most fundamental level, primitive info risk mgmt does the following:
1) Define Risk Context: In contrast to formal risk mgmt frameworks, the objective here is very simple. Define key terms, like High, Medium, and Low in business terms that make sense. That's all. If you cannot define these terms in the business context, then everything else related to risk will be skewed due to being unanchored. The other piece here is defining what is important to the business. Key people? Key data? Key systems? Getting a quick hit list drawn up that says "without X we cannot function."
2) Communicate General Tolerance Stance: In a top-down level, the basic tolerance for risk must be communicated. This is a wordy way of telling your team, for example, to work diligently to tackle all High Risk items first and foremost. That is to say, this step is all about telling the organization what is important.
3) Assess Risk: On a regular basis risk needs to measured. This can be done through something as basic as an annual review and gap analysis, or preferably on an ongoing basis. However, don't get overboard. Yes, you need basic data, but you're focusing on primitives here. Your goal is functionality, not heavily documented and rigorous formality.
4) Perform Remediation: Based on findings, remediation should be performed as necessary. Oftentimes this fits with the break-fix mentality, which can be adequate. The key is getting this primitive cycle operating such that you can quickly assess and then attack problems within a basic environment and structure.

Basic Policies & Standards
Perhaps more than anything else, you need some basic policies in place to protect your organization. These don't need to be over-the-top, but they may be required to meet certain regulations, and should generally integrate with your primitive risk mgmt approach. If nothing else, you need to articulate authority for a security program and then give it teeth to require implementation of controls and practices. Fundamentally, policies need to set the basis for processes, procedures, and standards to be deployed either now or in the future. Oftentimes you can rely on canned policy frameworks, for better or for worse, though one needs to be mindful that this approach can result in having unenforced or unenforceable policies and standards that could result in putting your organization at jeopardy legally.

Focus on the basics: authorization of the security program, requirements for implementing controls, lists of minimum controls, etc. In general, the objective is to give people a place to go for understanding security requirements, upon which good practices can be based. Don't worry about going into excessive detail or achieving completeness out-the-door. On the other hand, look for opportunities to expedite the process, such as through the emerging offering from LockPath.

BTW, don't forget to establish keep processes around vital areas such as incident response, business continuity, and access management. The more you can formalize these processes early on, and then communicate them through a basic training program, the less pain you'll experience when incidents (of various types) occur in the future.

Basic Assessment
With no information about your organization you cannot perform quality analysis and make good decisions. As such, you need basic assessments to start generating some of that data. Initially, this may just be basic nmap and nessus scans. However, over time you should seek expand this capability to do more in-depth testing of systems, networks, and applications. Nonetheless, starting with basic scans, typically using automated (and free/open-source) tools is a great way to begin assessing the state of your environment.

General Training & Awareness
One of most underrated and most effective security countermeasures is training and awareness. Basic topics such as clearing desks, being careful with sharing information (including what you should not disclose through social media sites/applications), being wary of different types of common attacks (e.g. malware, phishing, social engineering), and so on. 30 minutes twice a year can do wonders for improving security awareness and practices in an otherwise limited environment. Basic information on passwords, authentication, proper handling of mobile computing and communication equipment, etc. All of these topics are ripe for being addressed in basic training programs.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Hotel Showerheads:

» Surviving in Degraded Conditions: A Human Analogy from The Falcon's View
If you've been following my writing of late, you'll know that I've hopped on the Survivability bandwagon with both feet (see my blog post "Defensibility and Recoverability" and the slides from my recent full-day course "Total Enterprise Assurance"). Ke... [Read More]

Comments (1)


Good stuff Ben. You have to get the fundamentals right, or everything else can (will) fall apart quickly.

It is interesting where inspiration strikes us, isn't it?

Post a comment


This page contains a single entry from the blog posted on September 30, 2009 12:16 PM.

The previous post in this blog was Recent Reading (Books).

The next post in this blog is Today is Helio Gracie Day.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.