Over the course of my career, it has become clear to me
thatJapan's
national sportoffers a perfect analogy for
the current state of information security.
I will begin with a bit of background for those unfamiliar with
Sumo. It dates back to the Tumulus period from AD 250 to AD 552 as
part of Shinto rituals. Modern Sumo rituals were first seen in the
17th century and are very similar to what you would see at a sumo
match today.
Sumo matches are steeped in Shinto symbolism, including intense
purification rituals. The sand that covers the clay ring, the
"dohyo", is a symbol of purity. The canopy above the dohyo is
styled to look like a Shinto shrine. Other symbols include the
tassels on the canopy, the purple bunting around the roof, even the
referee's robes. A lot of what we call sumo is actually Shinto
ritual very little of is concerned with wrestling or grappling.
Training is also very ritualistic. All wrestlers, called
"rikishi", are ranked in classes. During training, the higher
classes teach the lower through example, without a documented
sequences of movements, or "kata". The lower classes learn through
observation while waiting on and serving the higher classes. Sumo
matches are extremely short and violent grappling bouts where a
tremendous amount of energy is expended in an attempt to push one's
opponent out of the ring.
Information security, as practiced by most of us, is like sumo
in many ways.
It is a highly ritualised affair that ultimately provides little
or no improvement to the security of an organisation.
I have yet to find a single paper or book that does a good job
of describing how information security should be practiced or how
it can be efficiently achieved. We know how to do infosecurity
because we have paid our dues and learned it on the job by watching
what the "masters" before us did.
And most tragically, when we get down to doing some serious
information security work, we expend huge financial and human
resources to defend against the bad guys. Unfortunately, this often
has the unintentional outcome of irritating our colleagues and
business partners, slowing down projects and not improving security
much, if at all.
I cannot count the number of times I have heard myself or other
information security practitioners complain about how hard it is to
improve security. The customers do not want it or understand it.
Management does not want to pay for it, and when we actually
install something to improve security, the users bypass it.
Nonetheless, we continue to spend time and money on the same old
security projects and initiatives, while the organisations we
represent receive very little improvement to their security
posture. Albert Einstein once said, "The definition of insanity is
doing the same thing over and over again and expecting different
results."
I propose that there is a much better way to improve the overall
security of our organisations, and unlike Sumo, it is efficient
with a well-defined
"kata"
or doctrine. To continue the martial arts theme, effective and
efficient information security is attainable with the application
of Judo's philosophy of maximum efficiency for mutual welfare and
benefit.
Judo, more
precisely the Kodokan, was founded in 1882 by the late Kana as a
derivative of Jujitsu. The mantra of Judo is to help your opponent
into a position of instability while keeping yourself in a position
of maximum stability and maintaining maximum efficiency throughout
the match.
Information security Judo relies on the consistent and
thoughtful application of some simple principles and a well-defined
path to follow. First and foremost is the principle that effective,
long-lasting information security improvement is accomplished by
using efficient communication and demonstration of mutual benefit.
This is the antithesis of Sumo, in which might makes right. Second
is that effective information security requires endurance. Lastly,
observe, consider, plan and act with the endgame in mind.
Information security Judo does not rely on word of mouth or
on-the-job training to pass along how it is done. The following is
a "kata" for effectively and efficiently securing any organisation
using information security Judo.
The information security Judo kata
1. Know your organisation and align with it quickly
It is unwise to implement controls required in a government or
financial setting at a university. Spend the time to understand the
risk tolerance of your organisation and build information security
commensurate with that tolerance.
2. Write a charter that states that everyone is responsible for
protecting the organisation and get senior management to bless and
support it
Do not underestimate the power of a one-page charter that
enumerates your team's responsibilities and those of all staff. You
will be surprised at how fast project managers and administrators
get in step when they are ultimately responsible for the security
breach caused by their choices.
3. Relationships are the most important thing
Information security Sumo fosters bad relationships that will
kill an information security group, and it will guarantee poor
co-operation during security events.
4. Communicate clearly, concisely and often
In science, an event did not happen if you did not write it
down. In an organisation, the same is true if you do not tell
people about it.
5. Spend 70% of your staff and budget on awareness and training
for all staff
A custom training curriculum for administrators, general staff,
managers and executives is cheap when compared with the benefit to
the company. You can measure your effectiveness through social
engineering tests such as fake phishing scams and vulnerability
testing.
6. Train the organisation's IT staff in the ways of information
security
If you and your team are gatekeepers on how to do things
securely, you will never have enough people to do a good job and
you will always be perceived as roadblocks. On the other hand, if
you train the organisation, they will come to you demanding better
security.
7. Delegate information security responsibilities to IT
A distributed governance model means that everyone involved owns
a little bit of the responsibility for protecting your
organisation.
8. Build an extended security team staffed with IT
administrators and line managers
Have them review information security policies, procedures and
tasty issues that impact them.
9. Maximize efficiency
Focus on initiatives where the amount of effort is small
compared to the overall benefit to the company.
10. Work yourself and your team out of a job
If you master this kata, your organisation will become a true
self-defending network. You can measure this by measuring how well
your general staff answer two simple questions: what is a security
threat and who should they contact if they notice one?
Mastering information security Judo requires a willingness to
put aside the conventional wisdom on how to defend an organisation.
Do not take my word as gospel, though. Consider the kata and then
take a look at your day-to-day activities. Are you really improving
the overall information security posture of your organisation, or
are you living up to Einstein's definition of insanity?
That kind of evaluation is how I came to understand the terminal
flaw in the Sumo approach. I was up late one night raging about an
ongoing battle that my information security team was fighting with
an IT group when I read a short article on incident response that
struck a chord so pure that it shattered my preconceived ideas
about information security. The writer simply stated that an
incident handler would fail if the people in IT distrust, dislike
or despise them. I could not argue. In fact, it remained true when
applied to every aspect of information security. It became clear to
me that information security Sumo invariably led me into the path
of an oncoming freight train or the middle of a minefield. Well, I
could not just put the cat back into the bag, so I began looking
for an alternative. The kata of information security Judo was not
the product of profound inspiration it has been assembled through
trial and error with many false starts and much pain and
anguish.
This article is not intended to be an exhaustive treatise on
information security Judo, so I will spare you the lengthy list of
comparative examples between Sumo and Judo. Instead, I will give
you one example of how to address a common issue by following the
kata of information security Judo.
How many times have you heard about, seen or been involved in a
heated discussion between the information security team and
customers in response to an outage caused by a vulnerability scan?
I bet it went something like this: the administrator is beyond
angry after spending six hours troubleshooting the problem while
the customers screamed bloody murder and escalated the issue. Then,
in the end, they discovered that the outage was caused by an
unannounced network vulnerability scan. The match ends with the
information security Sumo champion emiting a deafening shout:
"Consider yourself lucky that we found that serious
vulnerability in your service. Imagine how bad it would have been
if an evil hacker did what we did."
Followed by:
"If your service had been patched and configured properly, it
would not have crashed when we scanned it."
Ending with the coup de grace:
"Now go away and do not bother me until you have fixed your
application so it does not crash when we scan it."
I know this happens all the time because in chatting with
friends, colleagues and associates in the industry, they too have
heard, seen or participated in this drama. To be honest, I was once
a true believer in the martial art of "Kiai" and its effectiveness
in startling and demoralising my opponents.
Information security Judo applied to vulnerability
testing:
Step 1: Stop the scanning
Step 2: Assemble an extended information security team
Step 3: Prove to the team that, though dangerous, there is value
in knowing what is vulnerable
Step 4: Implement a vulnerability assessment tool that
administrators can use on their systems
Step 5: Teach them how to use the tool effectively
Step 6: Collaborate with the team to write a policy on how to
test, announce and conduct scans
Step 7: Have the team approve and sign the policy
Step 8: Have the team present, promote and gain approval for the
policy with senior management
Step 9: Follow the policy
Though the Judo path does not eliminate the possibility of
causing outages by scanning systems, it greatly reduces the
negative impact on clients, administrators and management. It also
gives the administrators some control over the security posture of
their systems. This is information security Judo exemplified, and
in my experience, it delivers tremendous success in the real
world.
Special thanks to Todd Barnum for helping me find the path
that led to information security Judo.
Ron Dilley leads an information security team at a Fortune
500 company