Archive for February, 2010

Avoiding Formulaic Security

Sunday, February 21st, 2010

The problem with the information security these days is the emphasis on checklists and so-called “best practices” that may not be appropriate for all situations. For the sake of simplicity and consistency, the security field has evolved into a cookbook-type approach. Everyone gets the same recipe and is expected to execute on it in the same way, but we don’t live in a one-size-fits-all world. Instead of blanketly applying so-called “best practices” across the board, we should be using some risk analysis techniques to determine the best controls for our organization. The current training opportunities turn out security professionals who know which activities to perform and which patterns to follow, but can’t tell you why. The problem with this is that they have no idea what to do when the situation doesn’t fit their patterns, or even worse they apply the same checklists even if it doesn’t address the actual risks. Have you ever interviewed someone who is very technically savvy, and tried asking them why they do it a certain way? The scary thing is that most people can’t explain why. They have just always done it that way, or been told to do it that way, and never questioned it.

If you are transferring sensitive data over the network, then you need to encrypt it every time. But why are you encrypting it? What problem are you trying to solve? What risk are you trying to mitigate? Having checklists and baselines makes it easy for security novices to apply a minimal level of protection without having to understand the intricacies of information security, and also provides a basis for auditing. Just think about how many times you have gotten a recommendation from an auditor or third-party consultant, and it is clear that they don’t understand the real risks for your organization. I can’t tell you how many times I have seen recommendations that identify a “high” risk that should really be listed as low risk if you understand the business model of the organization.

We need to train our senior security professionals in the field to perform a real risk analysis and not just accept the established cookbooks for security. Even NIST seems to be moving in this direction with the latest draft of their SP800-37 guide for Certification and Accreditation which is now totally based on a risk management approach. This is clearly the future of the field. More dynamic and flexible approaches to security that bases recommendations on the particular risks of each scenario, not just a single pattern for the entire field. Just look at the Payment Card Industry, I don’t think that anyone would say that the PCI requirements have made retail companies more secure, just compliant.

As the threat landscape continues to shift, your old checklists and formulas for information security just aren’t going to cut it any more. If you want to stay ahead or just keep up, you need to understand the fundamental components of a solid information security program, and decide how to apply them given the particular risks to your organization. I think that “best practices” should be considered dirty words in the field. How can a single list of “best practices” possibly apply to my organization and yours in the same way?