29 March, 2007

Not quite 12 steps

I have gotten a few emails regarding the "Transforming Negligence to Non-Compliance"

Basically they said what the heck are you talking about.

It was part of a discussion I had with a counterpart and I thought it was a great quote.

Now I am going to say something a bit odd. "Transforming Negligence to Non-Compliance" is not a bad thing. It is a good thing and one of the only ways to get things rolling in an organization that is truly out of touch with its security risk profile.

Think of it as several stages of organizational growth.

Perhaps a counter part to Grossman's 5 stages of security grief.

It is just a nacient thought process for me so if anyone wants to expound or make it better feel free I'll be happy to point to you.

So here are the first few steps.

"Security by Self delusion" where institutional practices and political momentum make it virtually impossible to point out real security risks.

"Lethargic Negligence" - the problem is just too big to address for every fire I put out a dozen pop up. This isn't always intentional negligence (though for some people [mostly comfortable managers] it might be) but it always stands in the way of needed changes.

Transformation from Negligence to True Non-Compliance - This comes from a realization that something must be done and taking the responsibility for acknowledging that fact at a senior organizational level.

Maturing from Compliance to true Security. This stage is necessary if you ever want to prevent slipping all the way back to security by self delusion.

Proactive risk management - The actual practice of identifying true business concerns and risks of impacts and placing true security around them.

Any organization cycles through these at one time or another. Usually they are at slightly different stages for different parts of their security architecture as a whole. Their firewalls might be good but their OS's and Application Security is crap or their OS and App security fine but the linkage between their business controls and their IT SoD is crap. The worst organizations will institutionalize the Self Delusion model and actually swear and sign off that every thing is fine. After all "I have a Policy for that".

So how do you move up. I imagine it is a bit different for every organization. It will always involve some politics. As a matter of fact if you wanted to you might be able to call these the "political layers of info security".

The key to moving beyond "Security by Self Delusion" is visibility. True visibility not the pseudo transparency provided by 20,000 pages of attestation saying "yea we have a policy for that". True visibility is gained by actually identifying what is open in your firewalls. How good or bad is your patching process not just on the "managed" machines but on all of the ones connected to your network. As well as dozens of other specific facts. Get the whole picture then draw conclusions. Lets be honest here FUD might not be totally out of place if things are bad enough and it is based on facts. You achieve this by actually having the guts to run vulnerability scans, pen tests and even things as simple as port scans. If your organization is so resistant to transparency that they won't allow that how about a honey pot and some open sniffers. Outbound IDS's might help as well.

I know there is a lot of talk about how Vuln scans are not of value or IDS's are useless. That might be partially true in a healthy security environment or in one where IPS or even stronger protections are in place but if your organization is mired in the "Security by Self Delusion" mode they serve as one potential way beyond.

So what happens when senior management finally realizes that they have a problem and not just one but an entire systemic failure? Well Denial, Despondence, Anger, blame all of the not so fun reactions. Yes they often shoot the messenger. I am not able to tell anyone how to maneuver around these ones. What I will say is that if you have the facts and avoid placing individual blame (can be really hard if it is justified especially if someone is intentionally obfuscating issues) you can probably survive the series of back flashes. At this point the best bet is a series of tactical solutions that provide strategic benefit. Gain control (indirectly) of the Firewall and IPS rulesets, facilitate cross system visibility, HIPS, Identification of critical data, ... Every organisation will have different tactical needs but pick a few and fix them as best that you can.

Now is the tricky part. The gut reaction of senior management will be to say "Great we're ok. Now let's move on to more important things" That is fine to an extent after all the real business of IT is to facilitate the real business but you also have to put structure in place to maintain and improve the other real issues that didn't seem as painful but might very well carry more risk. You have to put in place a Governance and Policy structure that actually has some teeth but doesn't cripple the company. This is where you start transforming Negligence to Non-Compliance.

I am going to have to try to finish this tomorrow.

No comments: