Working backwards to security or “minimum effective dose”

For a few years now I’ve been a proponent of outcome driven actions — which is fancy management speak for “doing only those things that support only clearly useful goals”.

This is often evident during an emergency incident response (e.g. ransomware, big data breach) where a lot of changes and bodily motions are performed that give little to no benefit when goals — desired outcomes are considered.

The challenge with the useful outcome approach is prioritization. An incident (or it could be a serious security assessment or control stress test) often reveals a raft of weaknesses and vulnerabilities, some larger, some smaller. Smaller ones may be easier to address but are not that important (this concept was taught to me by one-time boss James Fox as The Action Priority Matrix), larger ones are valuable.

Telling teams — don’t fix that or don’t do anything for now please makes Teams grumpy, so there is a strong psychological pressure to let idle teams do something — an example of the Politicians Syllogism: “Something must be done, this is something, therefore it must be done”. But telling otherwise means squandering resources.

As more people float into infosec/cyber and the scene rewards tools and guides with attention and retweets it becomes harder to write something useful and therfore writing at least something feels like “doing cyber”.

I recall one person writing a beautiful tool — ANSI colours and all that which audited SSHd configuration and highlighted in orange ciphers which were deemed to be “not strong”. I can’t recall ever anyone cracking an SSH stream in a real world hack.

So fixing those low value bugs is just stupid and it requires intellectual fortitude to ignore the unimportant.

As security programs get underway a lot of pet projects surface. One example of those is removing self signed certificates form the enterprise LAN. People may even buy tools that help manage that — discover, etc (Gartner even has a guide out). So those TLS certs now get replaced with expiring signed certs. And what happens when you fail to renew a cert? Auth failure and production grinds to halt because some DB link is no longer up as it happened in with Ericsson in 2018.

I’m not saying we don’t need encryption or cerificates don’t need to be managed, but we do need to balance it against cost of maintaining all this “crapastructure”. At a bank I knew of there was a 6 person team that managed cryptographic keys. That’s about a million United States Treasury issued American dollars a year.

Which is why a robust risk assessment is important, but it is hard to do it if we only talk in vague senses.

I recently learned that in Instructional Design there is an entire methodology called “backwards design”, where you define learner outcomes and work backwards on how to get there . It is similar to “minimum effective dose” in bodybuilding. These seem very similar in concept — define outcome, get there quickly, don’t waste resources.

And that leads me back to my original point — doing only things that materially improve security. It’s up to you to define what is material — there are people out there who’s risk model includes submarines and nation state intelligence managed “moles”.

I bet it’s not your Joe Corporate or even Jane Finance.

-ENDS-

x-post from: https://medium.com/@truekonrads/working-backwards-to-security-or-minimum-effective-dose-78c31417494b