Dojo Con 09

Compliancy, Why Me? Living with the Compliance Staff, a BSOFH Guide Michael Smith

Who is Michael Smith?
8 years active duty army
Graduate of Russian basic course, Defense Language Institute, Monterey, CA
DotCom survivor
Infantryman, deployed to Afghanistan (2004)
CISSP #50247 (2003), ISSEP (2005)
Former CISO, Unisys Federal Service Delivery Center
Currently a Manager in a Big Four Firm

Compliance is the arsenic and cyanide of the information security world! Source: Wikimedia Commons

Since it’s Election Week
How many of you hate compliance?
How many of you love compliance?
How many of you think “meh” ?
How many of you are out in the lobby ?

But First, a Dramatization… Hi, I’m from the Compliance Team, I’m here to help!

But First, a Dramatization… And the Security Engineering Team is glad to have you here!

But First, a Dramatization… Here’s a report for you too look at on our current compliance status.

But First, a Dramatization… Wow, it’s big.

But First, a Dramatization… Your project is out of compliance with Section 15 of the FROBITZ Act of 1994. This is troublesome!

But First, a Dramatization… First of all, what the hell does that mean? And secondly…why should I care?

But First, a Dramatization… It means you have to fix it.

But First, a Dramatization… I can't do it—the YoyoDyne Frobulator is the only product that fits our needs.

But First, a Dramatization… But the rulebook says...

But First, a Dramatization… I’m not going to do it. Besides, the rulebook was made by a bunch of old men who have no idea what technology is.

But First, a Dramatization… You suck and are a rogue cowboy

But First, a Dramatization… You suck and are a wannnabe data center lawyer.

But First, a Dramatization… This guy is brain-damaged and I can’t work with him. We’ll never be secure now. This guy is brain-damaged and I can’t work with him. We’ll never be secure now.

Questions
Who’s right?
Who’s wrong?
Are we doomed to forever live out this tragedy?
Why can’t we all just *sniff* get along?

With compliance, you can strong-arm people into doing your bidding. Source: Wikimedia Commons

The Problems with Compliance
Cost
Effectiveness
Complexity
Scope
Skillset Issues
Decision-makers are removed from the consequences of their decisions

My View of the World*
Each layer only knows the one above and below it
Traditional IT security focuses on the Enterprise and Project layers
Everything meets in the midddddddle!!!
*There will be a test later on this.

The Gap in the Security Workforce
Compliance
Top-down
Focus on controls
Risk is many-leveled: “How much is enough?”
Tools focus on reporting/dashboards
Not Sexy
Technical/Operational
Bottoms-up
Focus on threat
Risk is binary: “did/will we get pwned or not?”
Tools focus on automation
Very Sexy
$8B Question: How do we bridge this gap?

Professor Rybolov Says
I need more public-policy wonks who have technical and operational skills to understand their own framework and strategy
and
I need more techies who understand how to build viable regulatory schemes for sustainability of their tactical successes

Phrase of the Minute
Direct and Indirect Costs

Phrase of the Hour
Audit Burden

Phrase of the Day
Commodity Service

Phrase of the Week
Opportunity Costs

Phrase of the Month
Leveling Effect

Phrase of the Year
Regulatory Capture*
*There will be a test later on this.

Regulatory Capture Examples
Cyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery
SANS 20 Critical Security Controls
WAFs and Automated Code Review

And a Quote for Free
Compliance is a Self-Licking Ice Cream Cone
--One of my favorite BSOFHs

Source: Wikimedia Commons So there isn’t any magic where we become ultra-compliant?

Compliance Exercise: Requirement
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
Source: SP 800-53

Compliance Exercise: BSOFH Answer
Just use DNSSEC you n00blette!

WTF People?
Why is this disconnect there?

Rybolov’s Law
My solution is only as good as my auditor’s ability to understand it.

Compliance Truthiness
One Framework does not rule them all
You can’t anticipate every single scenario
The rules don’t always apply
If you deviate from the rules, audit burden will kill you
You have to interpret what the regulatory framework says

And More Importantly
Compliance is awesome if it’s your rules!

The more non-compliant you are, the more we can forgive you for! Source: Wikimedia Commons

Revisiting an Issue
The key problem with compliance as a concept is that the decision-makers are removed from the consequences of their decisions.

What my First Sergeant Told Me
“ There are only 3 leaders in the Army: Team Leader, Squad Leader, and Platoon Leader. Everybody else is just support.”

UR Doing it Wrong
When it comes to security, who is the customer here and who is support?
Where is the groundswell from the bottom looking for support?

Protip: Self-Regulation is the Shizzle!
Be careful what you ask for in regulation and laws, you just might get it.
PCI-DSS sucks, but would you rather have the Government telling you how to do it?
Committees suck, but at least the output is somewhat palatable.
Having a small voice sucks, but it’s better than no voice at all.
If you don’t participate, you become bound by other peoples’ rules.

Remember This One?
Regulatory Capture

The Road Ahead
Bridge the 2 worlds and heal the rift
Fix what you can at your level
Bring the smart people together
Build community standards that give you the support that you need
Tell the higher layers that you have the situation under control
???
Profit!

Source: Wikimedia Commons Compliancy: it’s not so bad after all as long as you’re driving the oxcart!

Questions, Comments, or War Stories?
http://www.guerilla-ciso.com/
rybolov(a)ryzhe.ath.cx

http://www.guerilla-ciso.com	236
http://www.sevillasecandbeer.org	55
http://www.slideshare.net	2
http://translate.googleusercontent.com	2

Dojo Con 09

by Michael Smith on Nov 07, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 295

Statistics

Dojo Con 09 — Presentation Transcript