• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Dojo Con 09
 

Dojo Con 09

on

  • 2,342 views

My presentation for DojoCon 2009 talking about compliance, where it fails, and how to make life better.

My presentation for DojoCon 2009 talking about compliance, where it fails, and how to make life better.

Statistics

Views

Total Views
2,342
Views on SlideShare
1,903
Embed Views
439

Actions

Likes
0
Downloads
23
Comments
0

4 Embeds 439

http://www.guerilla-ciso.com 316
http://www.sevillasecandbeer.org 119
http://www.slideshare.net 2
http://translate.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The following presentation contains insights and opinions gathered from over 15 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with the impetus to reemphasize security within your organization, and feel good about doing so. The subtitle means “Automatic, Practical, Good!” and is a play on the Ritter Sport tagline “Quadratisch, Praktish, Gut!” which translates as “Square, Practical, Good!” http://www.ritter-sport.de/
  • Mike’s blog is at http://www.guerilla-ciso.com/ Mike teaches for Potomac Forum http://www.potomacforum.org/ Contact information for Mike is at the end of this presentation.
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • Artwork by Melanie Smith
  • If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/

Dojo Con 09 Dojo Con 09 Presentation Transcript

  • Compliancy, Why Me? Living with the Compliance Staff, a BSOFH Guide Michael Smith
  • Who is Michael Smith?
    • 8 years active duty army
    • Graduate of Russian basic course, Defense Language Institute, Monterey, CA
    • DotCom survivor
    • Infantryman, deployed to Afghanistan (2004)
    • CISSP #50247 (2003), ISSEP (2005)
    • Former CISO, Unisys Federal Service Delivery Center
    • Currently a Manager in a Big Four Firm
  • Compliance is the arsenic and cyanide of the information security world! Source: Wikimedia Commons
  • Since it’s Election Week
    • How many of you hate compliance?
    • How many of you love compliance?
    • How many of you think “meh” ?
    • How many of you are out in the lobby ?
  • But First, a Dramatization… Hi, I’m from the Compliance Team, I’m here to help!
  • But First, a Dramatization… And the Security Engineering Team is glad to have you here!
  • But First, a Dramatization… Here’s a report for you too look at on our current compliance status.
  • But First, a Dramatization… Wow, it’s big.
  • But First, a Dramatization… Your project is out of compliance with Section 15 of the FROBITZ Act of 1994. This is troublesome!
  • But First, a Dramatization… First of all, what the hell does that mean? And secondly…why should I care?
  • But First, a Dramatization… It means you have to fix it.
  • But First, a Dramatization… I can't do it—the YoyoDyne Frobulator is the only product that fits our needs.
  • But First, a Dramatization… But the rulebook says...
  • But First, a Dramatization… I’m not going to do it. Besides, the rulebook was made by a bunch of old men who have no idea what technology is.
  • But First, a Dramatization… You suck and are a rogue cowboy
  • But First, a Dramatization… You suck and are a wannnabe data center lawyer.
  • But First, a Dramatization… This guy is brain-damaged and I can’t work with him. We’ll never be secure now. This guy is brain-damaged and I can’t work with him. We’ll never be secure now.
  • Questions
    • Who’s right?
    • Who’s wrong?
    • Are we doomed to forever live out this tragedy?
    • Why can’t we all just *sniff* get along?
  • With compliance, you can strong-arm people into doing your bidding. Source: Wikimedia Commons
  • The Problems with Compliance
    • Cost
    • Effectiveness
    • Complexity
    • Scope
    • Skillset Issues
    • Decision-makers are removed from the consequences of their decisions
  • My View of the World*
    • Each layer only knows the one above and below it
    • Traditional IT security focuses on the Enterprise and Project layers
    • Everything meets in the midddddddle!!!
    *There will be a test later on this.
  • The Gap in the Security Workforce
    • Compliance
    • Top-down
    • Focus on controls
    • Risk is many-leveled: “How much is enough?”
    • Tools focus on reporting/dashboards
    • Not Sexy
    • Technical/Operational
    • Bottoms-up
    • Focus on threat
    • Risk is binary: “did/will we get pwned or not?”
    • Tools focus on automation
    • Very Sexy
    $8B Question: How do we bridge this gap?
  • Professor Rybolov Says
    • I need more public-policy wonks who have technical and operational skills to understand their own framework and strategy
    • and
    • I need more techies who understand how to build viable regulatory schemes for sustainability of their tactical successes
  • Phrase of the Minute
    • Direct and Indirect Costs
  • Phrase of the Hour
    • Audit Burden
  • Phrase of the Day
    • Commodity Service
  • Phrase of the Week
    • Opportunity Costs
  • Phrase of the Month
    • Leveling Effect
  • Phrase of the Year
    • Regulatory Capture*
    *There will be a test later on this.
  • Regulatory Capture Examples
    • Cyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery
    • SANS 20 Critical Security Controls
    • WAFs and Automated Code Review
  • And a Quote for Free
    • Compliance is a Self-Licking Ice Cream Cone
    • --One of my favorite BSOFHs
  • Source: Wikimedia Commons So there isn’t any magic where we become ultra-compliant?
  • Compliance Exercise: Requirement
    • SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
    • Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
    Source: SP 800-53
  • Compliance Exercise: BSOFH Answer
    • Just use DNSSEC you n00blette!
  • WTF People?
    • Why is this disconnect there?
  • Rybolov’s Law
    • My solution is only as good as my auditor’s ability to understand it.
  • Compliance Truthiness
    • One Framework does not rule them all
    • You can’t anticipate every single scenario
    • The rules don’t always apply
    • If you deviate from the rules, audit burden will kill you
    • You have to interpret what the regulatory framework says
  • And More Importantly
    • Compliance is awesome if it’s your rules!
  • The more non-compliant you are, the more we can forgive you for! Source: Wikimedia Commons
  • Revisiting an Issue
    • The key problem with compliance as a concept is that the decision-makers are removed from the consequences of their decisions.
  • What my First Sergeant Told Me
    • “ There are only 3 leaders in the Army: Team Leader, Squad Leader, and Platoon Leader. Everybody else is just support.”
  • UR Doing it Wrong
    • When it comes to security, who is the customer here and who is support?
    • Where is the groundswell from the bottom looking for support?
  • Protip: Self-Regulation is the Shizzle!
    • Be careful what you ask for in regulation and laws, you just might get it.
    • PCI-DSS sucks, but would you rather have the Government telling you how to do it?
    • Committees suck, but at least the output is somewhat palatable.
    • Having a small voice sucks, but it’s better than no voice at all.
    • If you don’t participate, you become bound by other peoples’ rules.
  • Remember This One?
    • Regulatory Capture
  • The Road Ahead
    • Bridge the 2 worlds and heal the rift
    • Fix what you can at your level
    • Bring the smart people together
    • Build community standards that give you the support that you need
    • Tell the higher layers that you have the situation under control
    • ???
    • Profit!
  • Source: Wikimedia Commons Compliancy: it’s not so bad after all as long as you’re driving the oxcart!
    • Questions, Comments, or War Stories?
    • http://www.guerilla-ciso.com/
    • rybolov(a)ryzhe.ath.cx