The PPS "Techno-Blog"

How Spaghetti Sauce Can Improve a Security Audit – Part One

 Email Article |  digg it |   delicious |   StumbleUpon |   LinkedIn |  reddit 

At the TED2004 conference, Malcolm Gladwell explained how a psychophysicist named Howard Moskowitz showed us how we can be happier with his work on spaghetti sauce and coffee.  At the GovCERT Symposium in the Netherlands this year, David Rice applied Gladwell's story to information security in his plenary speech, "Extra Chunky CyberSecurity."  I think both speeches hold three important lessons for information security auditors and their clients:

• 1) Clients can't explain what assurance they want;
• 2) There is no perfect security assurance - even if you call it "reasonable and appropriate"; and
• 3) Auditors fail their clients when they don't embrace variability.

Clients Can't Explain What Assurance They Want

Gladwell explained that when Howard was researching spaghetti sauce he discovered that 1 out of 3 people preferred extra chunky spaghetti sauce.  However, it was not being sold in any supermarket because in 20-30 years of asking focus groups what they wanted, no one ever said they wanted extra chunky spaghetti sauce.  Rice said the same phenomenon happens in the information security industry because the professionals don't know who their clients are and they need to ask better questions.

The same thing happens with an information security audit.  For example, is the PCI auditor providing assurance to the payment card brands that issued the security standard or the merchant that hired them to assess the security of their credit card data?  The CEO of Heartland Payment Systems thought the auditors they hired were providing the latter when they were actually providing the former.  It wasn't until after a massive data breach that the CEO explained what assurance they really wanted.  As auditors, we need to ask better questions to resolve these types of issues BEFORE a client's security is compromised.  Typically, if a client says, "I want to know how secure this environment is," then the auditor asks, "What security best practices are in place for the environment?"  But not every client needs assurance they're compliant with a checklist of best practices to have confidence in their security.  Perhaps Heartland Payment Systems needed assurance about their operational security and not their operational security compliance.

There is a simple way to determine whether an auditor is asking the right questions about security assurance.  According to Brian Snow, the Technical Director of Information Assurance at the NSA, the purpose of security assurance is to build confidence in system security by demonstrating that:

• 1) The system's security policy is internally consistent and reflects the requirements of the organization,
• 2) There are sufficient security functions to support the security policy,
• 3) The system functions meet a desired set of properties and only those properties,
• 4) The functions are implemented correctly, and
• 5) The assurances hold up through the manufacturing, delivery, and life cycle of the system.

If the auditor isn't discussing the following topics with their client, then they need to ask better questions:

• 1) The organization's business requirements (not just compliance requirements) and criteria for evaluating the security policy's consistency.
• 2) How to determine the sufficiency of security functions that support the security policy. Will the auditor just use some set of best practices that may or may not be appropriate for the client's organization?
• 3) How to identify the desired set of properties that system functions should be meeting. Will a generic set of security standards be used that may not be appropriate for the specific system(s)?
• 4) Criteria for evaluating the implementation of functions. Again, will the auditor just use some generic set of best practices that may not be appropriate for the specific implementation?

Part Two will explain two other key lessons information security auditors can learn from spaghetti sauce:

•2)      There is no perfect security assurance - even if you call it "reasonable and appropriate"; and

•3)      Auditors fail their clients when they don't embrace variability.