Thursday, December 08, 2011
Information Security Control Worst Practices
I was browsing the Forrester community list where there are frequent discussions on information security policies and controls. My observation is that the audit-oriented mindset of controls is a worst practice that is hindering the implementation of sustainable enterprise security...
I think the individuals asking questions regarding policies and controls are sincere. Likewise, I think industry analysts provide answers to questions asked, but never take the next step to figure out if their audience is truly asking the right questions in the first place. There are general worst practices I have noticed:
1. Most controls cannot be implemented: This occurs for a variety of reasons ranging from the state of current technology to the simple fact that many of them get in the way of the business wanting to do business. How many corporations have a ridiculous policy on mobile device usage? How many of these same corporations have actively funded enterprise projects that run counter to them? There are numerous other examples of this type of idiocy. Information security professionals need to get unimplementable "controls" off the book.
2. Most controls cannot scale: The best example of this scenario is how PCI/DSS came up with their requirements. For example, they did a great thing in requiring credit card merchants to take certain steps for their web-based applications. Did you know that the majority of lost credit cards have occurred via websites that are vulnerable to SQL Injection and Cross-Site Scripting? PCI put in requirements that a code review should occur by someone independent from the developer team. Do you think PCI requires its auditors to know anything about software development?
3. Most controls actually ignore sound risk management practices: Most controls use Boolean logic to ascertain whether you comply or not. The reality of security is more nuanced. Imagine the scenario where you did an audit of two enterprise applications and discovered that one has over one-million OWASP Top Ten vulnerabilities but has only two users, is used only one day a year and can be shutdown when not in use. The other application has only one vulnerability but is used by thousands of employees and is Internet facing. Which one will the auditor get their jolly's off on?
4. Most controls are tightly coupled to how a product is implemented: Walk into a corporation and read their controls on passwords. You will note that many of them somehow magically align to how Active Directory, RACF, etc are configured. Now ask yourself, what happens to the control if you don't use passwords in any form but there is otherwise a vulnerability?
5. Most controls are infrastructure-centric and ignore the concept of assets: Is there anyone who thinks the Federal government will shrink its budget? Is there anyone who thinks that the information security department in their own organization doesn't work like the Federal Government? Ever look at how the business invests money? You may discover that they spend more money on applications than they spend on infrastructure, so wouldn't it make more sense to figure out how to secure the applications over securing the infrastructure? Consider the trend of the business moving their enterprise applications to the cloud. Are the controls and ultimately the solutions that implement the controls portable to the cloud or are they only targeted at the internal infrastructure which is increasingly becoming less critical...
| | View blog reactionsI think the individuals asking questions regarding policies and controls are sincere. Likewise, I think industry analysts provide answers to questions asked, but never take the next step to figure out if their audience is truly asking the right questions in the first place. There are general worst practices I have noticed:
1. Most controls cannot be implemented: This occurs for a variety of reasons ranging from the state of current technology to the simple fact that many of them get in the way of the business wanting to do business. How many corporations have a ridiculous policy on mobile device usage? How many of these same corporations have actively funded enterprise projects that run counter to them? There are numerous other examples of this type of idiocy. Information security professionals need to get unimplementable "controls" off the book.
2. Most controls cannot scale: The best example of this scenario is how PCI/DSS came up with their requirements. For example, they did a great thing in requiring credit card merchants to take certain steps for their web-based applications. Did you know that the majority of lost credit cards have occurred via websites that are vulnerable to SQL Injection and Cross-Site Scripting? PCI put in requirements that a code review should occur by someone independent from the developer team. Do you think PCI requires its auditors to know anything about software development?
3. Most controls actually ignore sound risk management practices: Most controls use Boolean logic to ascertain whether you comply or not. The reality of security is more nuanced. Imagine the scenario where you did an audit of two enterprise applications and discovered that one has over one-million OWASP Top Ten vulnerabilities but has only two users, is used only one day a year and can be shutdown when not in use. The other application has only one vulnerability but is used by thousands of employees and is Internet facing. Which one will the auditor get their jolly's off on?
4. Most controls are tightly coupled to how a product is implemented: Walk into a corporation and read their controls on passwords. You will note that many of them somehow magically align to how Active Directory, RACF, etc are configured. Now ask yourself, what happens to the control if you don't use passwords in any form but there is otherwise a vulnerability?
5. Most controls are infrastructure-centric and ignore the concept of assets: Is there anyone who thinks the Federal government will shrink its budget? Is there anyone who thinks that the information security department in their own organization doesn't work like the Federal Government? Ever look at how the business invests money? You may discover that they spend more money on applications than they spend on infrastructure, so wouldn't it make more sense to figure out how to secure the applications over securing the infrastructure? Consider the trend of the business moving their enterprise applications to the cloud. Are the controls and ultimately the solutions that implement the controls portable to the cloud or are they only targeted at the internal infrastructure which is increasingly becoming less critical...
