How Spaghetti Sauce Can Improve a Security Audit – Part Two
Posted on Mon, Dec 21, 2009 @ 10:54 AM
Authored by Mosi Platt, Senior Audit Consultant, Pivot Point Security
At the TED2004 conference, Malcolm Gladwell explained how a psychophysicist named Howard Moskowitz showed us how we can be happier with his work on spaghetti sauce and coffee. At the GovCERT Symposium in the Netherlands this year, David Rice applied Gladwell's story to information security in his plenary speech, "Extra Chunky CyberSecurity." I think both speeches hold three important lessons for information security auditors and their clients:
- 1) Clients can't explain what assurance they want;
- 2) There is no perfect security assurance - even if you call it "reasonable and appropriate"; and
- 3) Auditors fail their clients when they don't embrace variability.
Part One of this article described how information security auditors can provide more value to their clients by learning the first lesson from spaghetti sauce - clients can't explain what they want. Part Two will describe the second and third lessons.
There Is No Perfect Security Assurance
Gladwell said Howard discovered that taste does not exist in a hierarchy but on a horizontal plane. Rice said the same principle applies to security - there is no perfect security (e.g. best practice XYZ or standard ABC), there are only different kinds of security that suit different kinds of people. It may appear that auditors have already solved this problem because they always preach the phrase "reasonable and appropriate," but in this case auditors don't often practice what they preach. An organization's security is not perfect/imperfect because it's compliant/non-compliant with a security standard that may/may not align with its own requirements. What's "reasonable and appropriate" in a zero-sum game of compliance or non-compliance? PCI tried to address this with different compliance requirements for different levels of merchants, but that does nothing for the merchant concerned with their security instead of their compliance. We need to democratize the way we think about security assurance. Instead of being prescriptive, perhaps we need to be more descriptive and leave assurance in the eye of the beholder. OSSTMM and the Shared Assessment Program's Agreed-Upon Procedures are steps in that direction because they objectively describe the level of coverage provided by an organization's security controls and leave it to the party seeking assurance to determine whether they feel the security provided is adequate instead of relying on an auditor's opinion.
Auditors Fail Their Clients When They Don't Embrace Variability
Gladwell used coffee to illustrate that the pursuit of a Platonic notion (e.g. perfect spaghetti sauce or perfect security) is not only erroneous but does everyone a massive disservice by giving them something they will accept (i.e. a dark, rich, hearty roast) instead of something that will make them deliriously happy (i.e. milky, weak coffee). Rice said the most powerful revelations for security will come when we start giving people what they want (i.e. secure, reliable systems) and not just what we think they need (i.e. perfect compliance or protection from the latest vulnerability).
When auditors pursue this Platonic notion of security assurance based on compliance or non-compliance, then they fail their clients the way Heartland Payment Systems' CEO feels his auditors failed him. Look at the contrast between Brian Snow's definition of assurance and the Platonic notion of security assurance practiced today.
|
Brian Snow's Definition of Security Assurance |
Platonic Notion of Security Assurance |
|
The system's security policy is internally consistent and reflects the requirements of the organization |
The system's security policy is internally consistent and reflects the requirements mandated by externally-defined best practices |
|
There are sufficient security functions to support the security policy |
There are sufficient security functions to support the requirements of externally-defined security standards/best practices |
|
The system functions meet a desired set of properties and only those properties |
The system functions meet a set of properties and only those properties desired by an external entity |
|
The functions are implemented correctly |
The functions are implemented correctly according to externally-defined implementation guidelines (e.g. CIS Benchmarks) |
|
The assurances hold up through the manufacturing, delivery, and life cycle of the system |
The assurances hold up during the compliance reporting cycle |
Audit methodologies like OSSTMM and the Shared Assessment Program's Agreed-Upon Procedures can give auditors the chance to embrace their clients' uniqueness and variability while providing the security assurance they want. Regardless of the methodology, if auditors remember who their clients are and take time to identify what they want; democratize security assurance with more description than prescription; and embrace truly reasonable and appropriate security assurance over compliance then perhaps people will enjoy their security audits as much as some people enjoy extra chunky spaghetti sauce.