Dojo Con 09
-
Upload
michael-smith -
Category
Technology
-
view
1.665 -
download
1
description
Transcript of Dojo Con 09
Compliancy, Why Me?
Living with the Compliance Staff, a BSOFH Guide
Michael Smith
Who is Michael Smith?
• 8 years active duty army• Graduate of Russian basic course,
Defense Language Institute, Monterey, CA
• DotCom survivor• Infantryman, deployed to Afghanistan
(2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service
Delivery Center• Currently a Manager in a Big Four Firm
Compliance is the arsenic and cyanide of the
information security world!
Source: Wikimedia Commons
Since it’s Election Week
How many of you hate compliance? How many of you love compliance? How many of you think “meh”? How many of you are out in the
lobby?
4
But First, a Dramatization…
5
Hi, I’m from the Compliance Team, I’m
here to help!
But First, a Dramatization…
6
And the Security Engineering Team is glad to have you
here!
But First, a Dramatization…
7
Here’s a report for you too look at on our current
compliance status.
But First, a Dramatization…
8
Wow, it’s big.
But First, a Dramatization…
9
Your project is out of compliance with Section 15 of
the FROBITZ Act of 1994. This is troublesome!
But First, a Dramatization…
10
First of all, what the hell does that mean? And secondly…
why should I care?
But First, a Dramatization…
11
It means you have to fix it.
But First, a Dramatization…
12
I can't do it—the YoyoDyne Frobulator is the only product
that fits our needs.
But First, a Dramatization…
13
But the rulebook says...
But First, a Dramatization…
14
I’m not going to do it. Besides, the rulebook was
made by a bunch of old men who have no idea what
technology is.
But First, a Dramatization…
15
You suck and are arogue cowboy
But First, a Dramatization…
16
You suck and are a wannnabe data center lawyer.
But First, a Dramatization…
17
This guy is brain-damaged and I can’t work with him.
We’ll never be secure now.
This guy is brain-damaged and I can’t work with him.
We’ll never be secure now.
Questions
Who’s right? Who’s wrong? Are we doomed to forever live out this
tragedy? Why can’t we all just *sniff* get along?
18
With compliance, you can
strong-arm people into doing
your bidding.
Source: Wikimedia Commons
The Problems with Compliance
Cost Effectiveness Complexity Scope Skillset Issues Decision-makers are removed from the
consequences of their decisions
20
My View of the World*
21
•Each layer only knows the one above and below it•Traditional IT security focuses on the Enterprise and Project layers•Everything meets in the midddddddle!!!
*There will be a test lateron this.
The Gap in the Security Workforce Compliance Top-down Focus on controls Risk is many-
leveled: “How much is enough?”
Tools focus on reporting/dashboards
Not Sexy
Technical/Operational
Bottoms-up Focus on threat Risk is binary:
“did/will we get pwned or not?”
Tools focus on automation
Very Sexy22
$8B Question: How do we bridge this gap?
Professor Rybolov Says
I need more public-policy wonks who have technical and operational skills to understand their own framework and
strategyand
I need more techies who understand how to build viable regulatory
schemes for sustainability of their tactical successes
23
Phrase of the Minute
Direct and Indirect Costs
24
Phrase of the Hour
Audit Burden
25
Phrase of the Day
Commodity Service
26
Phrase of the Week
Opportunity Costs
27
Phrase of the Month
Leveling Effect
28
Phrase of the Year
Regulatory Capture*
29*There will be a test later on this.
Regulatory Capture Examples
Cyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery
SANS 20 Critical Security Controls WAFs and Automated Code Review
30
And a Quote for Free
Compliance is a Self-Licking Ice Cream Cone
--One of my favorite BSOFHs
31
Source: Wikimedia Commons
So there isn’t any magic where we
become ultra-compliant?
Compliance Exercise: RequirementSC-21: SECURE NAME / ADDRESS
RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
33
Source: SP 800-53
Compliance Exercise: BSOFH Answer
Just use DNSSEC you n00blette!
34
WTF People?
Why is this disconnect there?
35
Rybolov’s Law
My solution is only as good as my auditor’s ability to
understand it.
36
Compliance Truthiness
One Framework does not rule them all You can’t anticipate every single
scenario The rules don’t always apply If you deviate from the rules, audit
burden will kill you You have to interpret what the
regulatory framework says
37
And More Importantly
Compliance is awesome if it’s your
rules!
38
The more non-compliant you
are, the more we can forgive you
for!
Source: Wikimedia Commons
Revisiting an Issue
The key problem with compliance as a concept is that the decision-makers
are removed from the consequences of their
decisions.40
What my First Sergeant Told Me
“There are only 3 leaders in the Army: Team Leader,
Squad Leader, and Platoon Leader.
Everybody else is just support.”
41
UR Doing it Wrong
42
•When it comes to security, who is the customer here and who is support?•Where is the groundswell from the bottom looking for support?
Protip: Self-Regulation is the Shizzle! Be careful what you ask for in regulation
and laws, you just might get it. PCI-DSS sucks, but would you rather have
the Government telling you how to do it? Committees suck, but at least the output
is somewhat palatable. Having a small voice sucks, but it’s better
than no voice at all. If you don’t participate, you become
bound by other peoples’ rules.43
Remember This One?
Regulatory Capture
44
The Road Ahead
Bridge the 2 worlds and heal the rift Fix what you can at your level Bring the smart people together Build community standards that give
you the support that you need Tell the higher layers that you have the
situation under control ??? Profit!
45
Source: Wikimedia Commons
Compliancy: it’s not so
bad after all as long as
you’re driving the oxcart!
47
Questions, Comments, or War Stories?
http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx