June 21, 2013 by
Tied in Silk Ropes - A subtler way to infosec
This was originally posted on blogger here.
After reading the Infosec Jerk's Problem blog, I wanted to suggest another way of dealing with the constant struggle between infosec and the rest of the organization. It's a method I've used to great effectiveness in multiple situations and it normally leaves all parties happy, (or at least not unhappy with you).Lets take an example, department X comes by with a new requirement to open ports between Y and Z. The standard infosec answer is 'no'. The normal resolution is "how big an issue is X willing to make this to get what they want"? Can they push it high enough that they can overwride infosec?
Compassionately, you could listen to their arguements, try to see it from their point of view, maybe consider different design options. Many times though, they won't want to change the design and even if you understand their view, your view is still what your view was.
I have a different approach. In true Mafia style, I do you a favor; maybe you do me a favor one day. Rather than make their life harder, request something in return that they don't care about. In the above example, ask them to install a suite of monitoring equipment. You didn't tell them 'no'. You didn't even change their design. You might even have provided the equipment yourself. Instead, you simply asked that they return the favor of you allowing them to do what they wanted by them helping you do what you wanted. It's mutually beneficial.
However, you're going to pick your side of the favor wisely. Your goal is not to solve this one-off problem but create a change in how business is done. If you ask EVERY person who wants to open ports to install that monitoring suite, well, that suite has now become standard for boundaries. If every time someone asks to plug A into B, even temporarily, you request they simply put in a firewall (even if it has almost no rules), eventually, a firewall becomes standard for connecting things.
What about when people ask you to agree to not raising a fuss when they want to do something that causes security risk, (and we're speaking relatively minor)? You say, "yes, that's fine, but I need you to fill out this risk form. I'll analyze it and accept it." You've now created a risk acceptance and tracking program. The next step is to say "Well yes, I'll sign the risk form, but I need to include when you DO plan on patching." Now you have them generating mitigation plans. You'll follow with, "Ok, but I want an update when you do mitigate it. If I don't get one, I'll check up and potentially rescind the acceptance". Now you have continuious oversight. Finally, you'll get to the point where you can say, "gee, I don't think this risk is acceptable. We should elevate." In effect you've established a risk program without ever having to force fight anyone to get it.
This works for many things. It can be installing new systems, allowing vulnerabilities to persist, making new connections, opening ports, etc. You can get all sorts of things out of it: firewalls, IDSs, policies, procedures, authority, and more. And the people will love you for doing it. You'll be tieing the binds of security tight, but you'll be doing it softly and slowly with silk ropes. In the end the ties that bind will be just as tight and secure as if you'd tried to force them on people, but you'll have done it without having to have a single fight.