Rearranging Deckchairs on the Titanic

I heard this term for the first time the other day, and while I think there are several analogies from the Titanic that can be drawn upon for describing concepts in information security, perhaps few are as apt as this. It implies, of course, the futility of rushing around making minor adjustments in the face of impending disaster. Counteracting this requires you to have a broad picture of the security issues in your area of responsibility so you can focus on avoiding the iceberg toward which you are currrently heading at full steam. It means focussing on the highest risk issues first and letting the minutiae go for another day.  If you are a network operations guy this means doing away with unencrypted protocols for administration before changing the enable secret on the router, if you are a developer it means fixing the SQL Injection vulnerability on the login form of your app before fixing the difficult to exploit XSS bug on a page only accessible post authentication.

The US State Department has a very effective model for this which they use for vulnerability management in their unclassified network, it is described in some detail here. There are three main components to this system, continuous monitoring, a weighted scoring system and continuous feedback to both those responsible for making changes and those reponsible for overseeing the security of the organisation.  Interestingly it lists as one of it's objectives 'inspiring competition' which I think could be a very useful way of incentivising security initiatives, but that's a topic for another post. The key component as it relates to this post is the continuous nature of the feedback, administrators are sent one task (the highest priority for the systems which they are responsible for) to remediate on a daily basis. The scoring system operates at a operates at a host, site and enterprise level, allowing the feedback to occur at all levels safely guiding the ship around the icebergs.

While the scheme described above does its best to objectify the security changes to be made, situations will vary and what is critical in one context will be less so in another, the important thing is that you do the assessment and make the changes in a sensible order. Sometimes business pressures or regulatory compliance will mean that these priorities will be changed but at least the trade off is understood. If you are placed in a position where you need to meet a compliance requirement perhaps use it as an opportunity to make material gains in your security posture i.e. comply with spirit of the law and the letter.

0 Response to "Rearranging Deckchairs on the Titanic"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme