Dojo Con 09

Compliancy, Why Me?

Living with the Compliance Staff, a BSOFH Guide

Michael Smith

Who is Michael Smith?

• 8 years active duty army• Graduate of Russian basic course,

Defense Language Institute, Monterey, CA

• DotCom survivor• Infantryman, deployed to Afghanistan

(2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service

Delivery Center• Currently a Manager in a Big Four Firm

Compliance is the arsenic and cyanide of the

information security world!

Source: Wikimedia Commons

Since it’s Election Week

How many of you hate compliance? How many of you love compliance? How many of you think “meh”? How many of you are out in the

lobby?

4

But First, a Dramatization…

5

Hi, I’m from the Compliance Team, I’m

here to help!


6

And the Security Engineering Team is glad to have you

here!


7

Here’s a report for you too look at on our current

compliance status.


8

Wow, it’s big.


9

Your project is out of compliance with Section 15 of

the FROBITZ Act of 1994. This is troublesome!


10

First of all, what the hell does that mean? And secondly…

why should I care?


11

It means you have to fix it.


12

I can't do it—the YoyoDyne Frobulator is the only product

that fits our needs.


13

But the rulebook says...


14

I’m not going to do it. Besides, the rulebook was

made by a bunch of old men who have no idea what

technology is.


15

You suck and are arogue cowboy


16

You suck and are a wannnabe data center lawyer.


17

This guy is brain-damaged and I can’t work with him.

We’ll never be secure now.

This guy is brain-damaged and I can’t work with him.

We’ll never be secure now.

Questions

Who’s right? Who’s wrong? Are we doomed to forever live out this

tragedy? Why can’t we all just *sniff* get along?

18

With compliance, you can

strong-arm people into doing

your bidding.


The Problems with Compliance

Cost Effectiveness Complexity Scope Skillset Issues Decision-makers are removed from the

consequences of their decisions

20

My View of the World*

21

•Each layer only knows the one above and below it•Traditional IT security focuses on the Enterprise and Project layers•Everything meets in the midddddddle!!!

*There will be a test lateron this.

The Gap in the Security Workforce Compliance Top-down Focus on controls Risk is many-

leveled: “How much is enough?”

Tools focus on reporting/dashboards

Not Sexy

Technical/Operational

Bottoms-up Focus on threat Risk is binary:

“did/will we get pwned or not?”

Tools focus on automation

Very Sexy22

$8B Question: How do we bridge this gap?

Professor Rybolov Says

I need more public-policy wonks who have technical and operational skills to understand their own framework and

strategyand

I need more techies who understand how to build viable regulatory

schemes for sustainability of their tactical successes

23

Phrase of the Minute

Direct and Indirect Costs

24

Phrase of the Hour

Audit Burden

25

Phrase of the Day

Commodity Service

26

Phrase of the Week

Opportunity Costs

27

Phrase of the Month

Leveling Effect

28

Phrase of the Year

Regulatory Capture*

29*There will be a test later on this.

Regulatory Capture Examples

Cyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery

SANS 20 Critical Security Controls WAFs and Automated Code Review

30

And a Quote for Free

Compliance is a Self-Licking Ice Cream Cone

--One of my favorite BSOFHs

31


So there isn’t any magic where we

become ultra-compliant?

Compliance Exercise: RequirementSC-21: SECURE NAME / ADDRESS

RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)

Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.

33

Source: SP 800-53

Compliance Exercise: BSOFH Answer

Just use DNSSEC you n00blette!

34

WTF People?

Why is this disconnect there?

35

Rybolov’s Law

My solution is only as good as my auditor’s ability to

understand it.

36

Compliance Truthiness

One Framework does not rule them all You can’t anticipate every single

scenario The rules don’t always apply If you deviate from the rules, audit

burden will kill you You have to interpret what the

regulatory framework says

37

And More Importantly

Compliance is awesome if it’s your

rules!

38

The more non-compliant you

are, the more we can forgive you

for!


Revisiting an Issue

The key problem with compliance as a concept is that the decision-makers

are removed from the consequences of their

decisions.40

What my First Sergeant Told Me

“There are only 3 leaders in the Army: Team Leader,

Squad Leader, and Platoon Leader.

Everybody else is just support.”

41

UR Doing it Wrong

42

•When it comes to security, who is the customer here and who is support?•Where is the groundswell from the bottom looking for support?

Protip: Self-Regulation is the Shizzle! Be careful what you ask for in regulation

and laws, you just might get it. PCI-DSS sucks, but would you rather have

the Government telling you how to do it? Committees suck, but at least the output

is somewhat palatable. Having a small voice sucks, but it’s better

than no voice at all. If you don’t participate, you become

bound by other peoples’ rules.43

Remember This One?

Regulatory Capture

44

The Road Ahead

Bridge the 2 worlds and heal the rift Fix what you can at your level Bring the smart people together Build community standards that give

you the support that you need Tell the higher layers that you have the

situation under control ??? Profit!

45


Compliancy: it’s not so

bad after all as long as

you’re driving the oxcart!

47

Questions, Comments, or War Stories?

http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx

http://www.guerilla-ciso.com/

Dojo Con 09

Technology

Transcript of Dojo Con 09