Crayons and Firewalls - How to Plan Your Security and Meet Your Compliance
As infosec security professionals, we tend to talk about a few things:
- Attacking Stuff
- Complaints about compliance
- Complaints about how vulnerable stuff is and how no-one wants to fix it
- Complaints about complaining
I’m going to go a different direction with this blog. I’m going to suggest a general approach to securing an Information System (IS) that can also help you meet your compliance responsibilities.
In fact, I’m hoping that if you follow this approach, you’ll actually start to appreciate some of your compliance requirements.
All it's going to take are three steps:
- Map Your IS
- Document Your Threats and Targets
- Place Your Security Controls
1. Mapping Your IS
Now draw your IS, and start big! If you have a big system that has multiple enclaves, start by drawing each enclave as a cloud and drawing where they are interconnected.
You can then iterate into each enclave. Hopefully you can make it down to the host level in each enclave. However, if it's too big for that, don't worry about it. We'll handle it in the next step. No matter what, make sure to capture all inter-enclave and external connections.
2. Document Your Threats and Targets
Now that you have a map of the battlefield, (because, for your purpose, that's what your IS is), it's time to place the bad guys (threats) and things you want to defend (targets). Your targets should be the equipment required for your business to accomplish it's mission.
Take those colored pencils and draw the targets right onto the map. You may have multiple targets. You may even need to prioritize your targets as well based on how important they are to your business's mission.
Now draw your threats onto the map. That includes both your insider threats as well as your external threats. If you're not sure who or what your threats are, Google who's attacking people like you. Figure out who wants what you have or to stop your business.
Be judicious as you plot threats and targets. You can't protect everything from everything. As a security professional you should already have a feeling for what your real threats and real critical targets are. Draw the line and don't plot the threats/targets that are not value added to defend against.
3. Place Your Security Controls
Now, like a general commanding his army, draw your defenses on the map. These should fall into three overarching categories:
- Defenses - Things that inhibit attackers (firewalls, IPS, etc)
- Sensors - Things that detect attackers (includes some of your defenses)
- Response - Things that allow you to respond to attack (backup circuits, re-initializing VMs, blackhole'ing traffic, etc)
As you place your defenses, keep in mind you are trying to have your DEFENSES delay a THREAT from reaching your TARGETS until your SENSORS detect the attack and your computer event response team RESPONDS to the attack.
Now re-read the above sentence. It is fundamental to information security (as well as most physical security).
At it's heart, this is an operational question because what you choose is based significantly on how you plan on responding. This is also an excellent opportunity to capture the policies required to execute your incident handling. (It is no use to identify a firewall as a response tool if you lack the policies to change firewall rules in near-real time.)
If you feel a bit lost with what tools you have in your (defenses, sensors, response) toolbox, you're in luck! The good news is the toolbox is already sitting on your hard drive. The bad news is, it's your compliance controls. NO NO NO. WAIT! DON'T LEAVE! You're used to building compliance and eeking out some security. I want you to build security, and, if it makes sense, use compliance to do so.
Consider password requirements. They can be an effective defense and sensor on your user interfaces. They very likely also meet some of your compliance requirements.
I've found that when using this method the defenses, sensors, and responses I picked were almost always one of my required controls.
Now, that said, there will be a set of compliance requirements that simply don't buy you any security. That's ok. Not every system is the same. Simply implement those controls to pass your compliance testing. Your auditors will appreciate that your system is both secure AND compliant and that the two even overlap!
Is this perfect? I hope not. Instead, please use this, find ways it can be improved, and share them with the security world. Hopefully we'll be able to add:
5. Plan Network Defense
to the list of things infosec security professionals regularly talk about.