The internet is composable. As part of it’s foundational architecture one can combine components and functionality in different ways to achieve technical outcomes (definition). It’s a hugely valuable capability and has benefited the world greatly, but it also poses a challenge for the common security model of blocking.
How fast should you fix a security flaw? The intuition is as fast as possible. We don’t know when the vulnerability will be exploited and it may never be exploited. We set heuristic rules for how fast vulnerabilities of certain severities should be fixed; are those rules right?
Several years ago a Cisco announced a critical vulnerability in their firewall platform. It allowed an attacker to gain remote access to the firewall and the network beyond. I directed those affected that I worked with to shutdown their firewalls which meant no internet and no site-to-site VPNs. Business was impacted for several days.
A few years ago I came across a report that detailed the exploitation and use of that same vulnerability by a sophisticated threat actor. I felt vindicated! I had made the right call. I had done the right thing at the time… but… had I? Or was I lucky?
I like MTTR; it’s versatile, forward looking and easy to understand. It’s a great measurement and changer of behaviour. It applies to several security problems and I propose we can make is more powerful.
Over my career I’ve designed a lot of metrics; some colleagues have occasionally suggested I’ve designed too many. Over the past few years I’ve started thinking that less is more, so if I had to choose one single metric to assess the security performance of an organization, it’s Mean Time To Remediate (MTTR).
Several years ago I was working as a security consultant with a natural resources company. One of my tasks was to rewrite the information security policies for the company. In there I found this gem of a policy statement that forbade specifically downloading MP3s.
I periodically get asked “are we secure?” or “is this system secure?”. That’s not an unusual question for a CISO, or any one cyber security professional in a leadership role, to be asked. How can we answer that question? Can we answer that question in a genuine and complete matter? What if we’re wrong? What if our answers turns out to be wrong later?
As we return to work after the holiday season, I’m expecting my inbox to receive a flood of email from vendors touting they can stop supply chain compromises such as the Solarwinds hacks. I think anything outside of access management tools is likely a stretch. Detecting compromised code without prior knowledge of the compromise is likely not possible but there are other approaches that could work.
One of my favourite memories from my consulting days is a developer that decided to modify the DES encryption algorithm because “it was too well known”.
Many years ago a system administrator came to ask me to support their business case to deploy a new time server for all the systems on the network to have synchronized time.