BSOFH: All’s fair in security and war.
Yeah, I know, it’s been a long time. I spent several months doing the Security Conference circuit, eating for free at vendor-sponsored tables and peddling the same tired old PowerPoint over and over again, just shuffling the slides at random and renaming them after Top 40 songs. But now I’m back in the saddle and returning the company to its previously gridlocked state.
Why, just the other day I was breaking in a new security intern. He was all wide-eyed and earnest, with a copy of Shon Harris under his arm that looked like he had seriously made a laminated book cover for it. He wanted to start off by aligning our corporate security policies with FISMA or some shit like that, but I told him to go pull some cable and I’d have a special mission for him later.
He had a cute pout. “Can’t we at least do some risk analysis first?”
“Listen,” I said in an avuncular fashion, “we don’t do risk analysis here. Risk analysis is for math weenies who are bored with getting off on economics statistics and they want a little strange, so they try to import the formulas into IT.”
“But ... but ... how do we prioritize? How do we justify our budgets?”
“I’m glad you asked,” I replied. I pulled a book covered in coffee and salsa stains out from the bottom of a stack on my desk and tossed it at him.
“Sun Tzu’s Art of War?” he asked, confused. “Do we use this to defeat hackers?”
“Oh, no,” I said, “we use it to defeat our management. Boy, there’s a war on, and nobody’s gonna tell you this, but you gotta keep the enemy on the defensive every minute of the day if you want to get your security work done.”
The look on his face was both priceless and timeless. If you took a sad puppy and bent his head at a 45-degree angle to the left, that would be him. I’d seen that look on every member of my team at one time or another.
“It’s simple,” I said. “Humans are crap at risk analysis, and they have dozens of biases that you can exploit to your advantage. For example, everyone who hears a personal anecdote about something bad happening thinks that risk is higher than a risk they’ve only read about. So I make it a point to go at least twice a month to every management and project meeting and tell a story about someone I know who was hacked because he didn’t have—let me see ...” I consulted my shopping list. “He didn’t have a GRC threat management appliance with HIPAA-certified anomaly detection.”
The poor intern was looking less like a puppy and more like a little boy whose puppy had been shaved, drowned, and buried in a field of Gartner analysts.
“And management wants nothing more than to be told that they’re following ‘best practice.’ So I give them plenty of magazine articles that talk about what other companies are doing. If that doesn’t work, the auditors will issue some findings to motivate them in the right direction.”
“How do you know what the auditors will find?”
I grinned and leaned back in my chair. “Junior auditors aren’t as well paid as you might think. A few tokens of esteem and a few words of guidance are all that’s needed.”
He sat down and put his head in his hands.
“It’s all right,” I consoled him, patting him on the shoulder of his starched button-down shirt. “Here, I’ve got something that will make you feel better. You can make a real difference, right here, right now.”
I handed him a tool and some instructions, and sent him with my badge off to the data center. He was looking nervous but a little grin was forming on his lips.
After about forty-five minutes of reading xkcd, I picked up the phone and dialed a well-worn pattern on the keypad.
“Technical support center, may I help ... oh, god,” the voice on the other side said as it recognized my caller ID.
“Hey,” I said. “You know those five database servers that have been flooding their consoles with error messages? You know, the ones that you guys ignore because the SLA doesn’t assess performance penalties for slow throughput? The ones that we’ve been bugging you to upgrade the hardware on?”
“... Yes ...?”
“Check your tickets. I think you’ll find that they’ve all failed now and the status has been upgraded to P1. Remember, that’s a four-hour turnaround time according to the SLA. Have fun.”
I hung up the phone just as the Security Intern came back in, smelling faintly of ozone and with a huge beaming smile on his face.
“I think I’m really going to like it here,” he said, handing me back what he was carrying.
“Just wait until you get to try it on users,” I said, pocketing the Taser. “Let’s go to lunch.”
NOTE: I owe, as always, a debt of gratitude to Simon Travaglia for the inspiration.
Posted by shrdlu on Tuesday, June 30, 2009(5) Comments • Permalink •
