Thursday, May 31, 2007

Shell Game

I wanted to share an observation that I had this week with regards to information security "compliance" and that one of the significant downfalls of being "compliant" is that I see a tendency to turn security into a big shell game. After all if something does not exist how can it "NOT" be compliant? It's not there? right? The problem is that it is there and simply been "pencil whipped" away into oblivion. The issue is still real enough and your adversaries could care less about the 30 page white paper showing how great you are.

What I would like to really see happen is that an agency, don't know who, but someone who has the balls and political ammo in the government, basically someone who isn't affraid of living in a small remote cabin in Alaska for the rest of his/her natural life, to kick off a covert logical and physical test of government systems. This test would be completely independent of FISMA or the subsequent NIST SP 800-53 controls that are used as the basis for evaluation and more importantly to leaders in government "GRADES".

Having a real test that replicates a concerted brutal attack, like Solar Sunrise (Although I am not privy to the details), would be the reckoning that we have been long over due. I have seen too many times "safe scans" performed on systems to the point that the scan itself is worthless. We need to step things up and be more like our adversaries because I would rather be the one breaking something than a well funded and trained unit of state sponsored attackers bent on doing harm and thus loosing all control.

By the way if anyone out there has such a unit please feel free to drop by my house. I'd love to sign up and help. Overall I just want to see the shell game end and we start to transform from this dogma of "patch n report", "check the box", and most importantly "be the hunters not the prey". I'm just affraid that the stakes have grown to high for us to sit back and wait for some one to start beating doors down.

2 comments:

rybolov said...

I think the phrase you want here is "zero defects" ala soldiers sleeping in their car because their room has to be "inspection ready" at all times.

halon73 said...

But is that attainable?