Recently in musings Category

In Brief: InfoSec Island may not post what you submit, but instead grab text from your blog (whether authorized or not). When I filed a complaint, their first response was to threaten to delete the post, and they ultimately deleted my account (and then posted the entire email exchange to pastebin). If you post to their site, then don't be surprised if you and your post are abused. If you complain, expect to be told that you don't matter. In the end, despite being urged to reach out to me, they have not taken steps to resolve the matter.

Strong Recommendation: If you're a writer, I cannot urge you strongly enough to avoid or flee InfoSec Island. If you're a reader, then I strongly recommend that you not use their site any further. A business that profits from and exists because of the free contributions from people like me do not deserve continued patronage when they clearly disrespect the people who provide the content upon which they base their business.

This post is derived from an interesting twitter exchange that I had with Branden Williams last week, and that resulted in his writing-up a couple related blog posts. You can read those posts here:
* "Myth Busting With Ben Tomhave"
* "Corporate Responsibility with Ben Tomhave"

The first issue was a simple question I asked about whether or not a QSA was still required if a business had an ISA. To my great surprise, Branden responded that not only was a QSA not required, but it never had been! His response even surprised a couple other QSAs. I'll go into this more below, but suffice to say that when you dig into each card brand's requirements, it turns out that self-certification is allowed with the signature of a company officer.

The second thread that came out of the original discussion revolved around the topics of businesses needing to become competent on PCI requirements (or, what's reasonable to expect), as well as a side-bar about whose risk is actually being managed. We'll discuss these topics as well.

This is a follow-up to my last post ("3 Common Ways Security Fails People"). After posting it, someone on twitter quickly asked if I had any ideas for fixing these common problems. Well, of course I have ideas! :)

Soooo... rather than be one of those non-constructive criticizers of all things infosec, here are three solutions to the three problems:

Nothing gets me going in the morning like a good ol' fashioned dust-up over "security" measures interfering with my ability to get stuff done. It just reminds me of how far we still have to go in order to fix all the wrongs of our past lives. Here are three (3) areas in which I think infosec fails people and shoots itself in the foot, undermining credibility for the future.

"If you think a weakness can be turned into a strength, I hate to tell you this, but that's another weakness."
Deep Thoughts by Jack Handy

This post has been percolating for a few weeks now. Part of it was triggered as I read Taleb's The Black Swan, part of it was triggered by attending the ISSA International Conference a few weeks ago and hearing the same old quips, and part of it was triggered this morning by reading stories about yesterday's DARPA cybersecurity conference.

The challenge to this whole post is going to be keeping a coherent thread, so let me spell it out up-front: If "securing networks" is your goal, then I hate to tell you, but you've already failed. A strictly threat-centric approach to infosec is the failed approach we've been using for decades, and it's not going to solve any problems. The real problem is that we've lost sight of what is really important (assets!), and are not constructing our environments, defenses, etc., in a manner that is optimized toward protecting those things. More on this later.

A quick little semi-rant... I've reached the point where my tolerance has been exceeded. It's very simple, really.

There, I said it. No, seriously, if you listen to all the "risk" haters out there these days, you'd swear that the failings or limitations of a risk assessment or risk analysis methodology was equivalent to "proof" that risk management as a whole is faulty and a failure. Nothing could be farther from the truth.

Case-in-point: Many people, who don't have any training of or understanding about quantitative methods like FAIR, love to hate on those methods because of the "imperfect data" argument (newsflash: all data is imperfect). "We don't know what we don't know, therefore it's all wrong." The response to that quip is a separate post (coming soon!), but suffice to say, limitations of a specific method DO NOT prove that an overall management process is somehow inadequate, wrong, or a failure.

The 2008 credit crisis is not the result of poor risk management. Rather, it demonstrates the failure of traditional ORM risk assessment / risk analysis methods, which failed to properly account for a number of key risk factors, and which also overlooked major exposures (for more on this, see the "Modern ORM" paper).

So, the next time someone tells you that "risk management is a failure," please ask them not to throw out the RM baby with the bathwater, and instead prod them into explaining their quip, which will inevitably lead to complaints about risk assessment or risk analysis, which is not equivalent to RM.

That is all.

I recently gave a talk based on my "Scaling Risk Management" blog post (and an upcoming article). The talk was generally well received, but there was a particular question that I didn't get a chance to answer, and thus thought I'd elaborate on it a bit here.

During the talk I cover some "fundamentals" in order to baseline the conversation. I go through common terms and what their generally accepted definitions are, highlighting discrepancies between a few industry definitions of common terms (including "risk"). Part of that discussion covers risk tolerance vs risk capacity vs risk appetite. Oftentimes these terms get used interchangeably, but they are in fact distinctly different.

Consider this a philosophical musings post...

I was thinking about balance this morning, wondering how it is that the world could be so crazy. The US political system is completely out-of-whack, with extremism the norm (it seems). We have single whackos propounding theories about the dangers of vaccines, based not on scientific fact or studies (see the science here), but on - at best - related notions. There's a significant anti-science movement afoot. People are putting greater emphasis on faith and belief, all the while being dumbed down by the very machine that manipulates them. We hear reports that Google may be dumbing us down (or not - check that - turns out, the science was misinterpreted). This is our new status quo: ignorant commentators who are expert in nothing telling us what to think, leveraging emotional tricks of manipulation rather than a sound reliance on science and fact. Sounds exactly like the infosec industry with all the recent reports, doesn't it?

Preface: Go read Jericho's post now: "My Canons on (ISC)² Ethics - Such as They Are"

It's been a career-long dilemma in infosec: to get the CISSP or not to get the CISSP? I finally broke down in 2003 and took the exam, all at personal expense. My career had reached a point where the only way to get past the mindless recruiter/HR drones was to have those 5 letters after my name so that they could check the box and move an application along. It was annoying.

Not long after getting certified, I joined the CISSPforum mailing list. It was interesting for a while, but quickly fell into a repetitive pattern. The same people would dredge up the same whiney complaints every few months. The "discussions" would go in the same circular patterns. No meaning would come of it.

I'm going through a "questioning everything" stage, which I'm sure some of you will find annoying, but hopefully it'll also be worthwhile in the end. One of those questions is "What are the actual minimum security practices that should be followed by all personnel?" It's an interesting and somewhat challenging question because, despite having no shortage of source materials to answer the question at length, I'm not necessarily convinced that many of the traditional "requirements" are either necessary or universal.

Thus far, all I've been able to come up with is this short list:
* Have a reasonably long password/passphrase.
* Practice safe computing/browsing.
* Don't share sensitive information (e.g., trade secrets, passwords).
* Protect your physical devices (e.g., phones, laptops).
* Report incidents, suspicious behavior, and related concerns.

That's about it. I'm sure there are more things, but in my somewhat jaded and cynical mindset (at the moment, anyway), I'm having a hard time thinking about what else might be universally applicable to all employees in a company.

What do you think? What am I missing?