iamnor

This book cover caught my eye as I perused the technical books on Amazon last week. It is written by Cyrus Peikari and Anton Chuvakin and is published by O’Reilly. I am a big fan of O’Reilly books and have quite a shrine dedicated to the publisher in my office. I found the cover hilarious, as I have on many occasions used Sumo as an analogy for the current state of information security.

I will begin with a bit of background for those unfamiliar with Japan’s national sport. Sumo dates back to the Tumulus period from A.D. 250 to 552 as part of Shinto rituals. The modern Sumo rituals were first seen in the 17^th century and are very similar to what you would see at a Sumo match today. Matches are steeped in Shinto symbolism, including intense purification rituals. The sand that covers the clay ring, called a “dohyo,” is a symbol of purity. The canopy above the dohyo is styled to look like a Shinto shrine. There are many more symbols including the tassels on the canopy, the purple bunting around the roof, even the referee’s robes. Arguably, the vast majority of what we call Sumo is actually Shinto ritual; very little of it is actually wrestling, or grappling.

Training is also very ritualistic. All wrestlers, called “rikishi,” are ranked in classes. During training the higher classes of wrestlers teach the lower classes through example, without documented sequences of movements, or “kata.” The lower classes learn through observation while waiting on and serving the higher classes. Sumo matches themselves are extremely short, violent grappling matches where a tremendous amount of energy is expended in an attempt to push one’s opponent out of the ring. That should be enough background on Sumo to explain why this cover was so funny to me.

Information security, as practiced by most of us, is just like Sumo in many ways. It is a highly ritualized affair that in the end provides little or no improvement to the security of an organization. I have yet to find a single paper or book that does a good job of describing how information security should be practiced or how it can be efficiently achieved. To be honest, we know how to do it because we have paid our dues and learned it on the job by watching what the “masters” before us did. And most tragically, when we get down to doing some serious information security work, we expend huge financial and human resources to defend against the bad guys. Unfortunately, this often has the unintentional outcome of irritating our colleagues and business partners, slowing down projects and not improving security much, if at all. In summary, the book cover made me laugh because it was unintentionally right on the money. We need to ‘know our enemy’—it is the ‘security warrior’ who uses Sumo to get the information security job done.

I can’t count the number of times I have heard myself or other information security practitioners complain about how hard it is to improve security. The customers don’t want it or understand it. Management does not want to pay for it, and when we actually install something to improve security, the users bypass it. Nonetheless, we continue to spend time and money on the same old security projects and initiatives, while the organizations we represent receive very little improvement to their security posture. Albert Einstein once said, “The definition of insanity is doing the same thing over and over again and expecting different results.”

I propose that there is a much better way to improve the overall security of our organizations, and unlike Sumo, it is efficient with a well-defined “kata,” or doctrine. To continue the martial arts theme and close the loop on the title of this little soapbox rant, effective and efficient information security is attainable with the application of Judo’s philosophy of maximum efficiency for mutual welfare and benefit.

Judo, more precisely the Kodokan, was founded in 1882 by the late Professor Kana as a derivative of Jujitsu. The mantra of Judo is to help your opponent into a position of instability, while keeping yourself in a position of maximum stability and maintaining maximum efficiency throughout the match.

Information security Judo relies on the consistent and thoughtful application of some simple principles and a well-defined path to follow. First and foremost is the principle that effective, long-lasting information security improvement is accomplished by using efficient communication and demonstration of mutual benefit. This is the antithesis of Sumo, in which might makes right. Second is that effective information security requires endurance. Lastly, observe, consider, plan and act with the end game in mind.

Information security Judo does not rely on word of mouth or on-the-job training to pass along how it is done. The following is a kata for effectively and efficiently securing any organization using information security Judo.

The Information Security Judo Kata

1. Know your organization and align with it quickly.

It is silly to implement controls required in a government or financial setting at a university. Spend the time to understand the risk tolerance of your organization and build information security commensurate with that tolerance.

2. Write a charter that states that everyone is responsible for protecting the organization and get senior management to bless and support it.

Don’t underestimate the power of a one-page charter that enumerates your team’s responsibilities and those of all staff. You will be surprised at how fast project managers and administrators get in step when they are ultimately responsible for the security breach caused by their choices.

3. Relationships are the most important thing.

Information Security Sumo fosters bad relationships that will kill an information security group as slowly and surely as plutonium-210 kills Russian defectors, and it will guarantee poor cooperation during security events.

4. Communicate clearly, concisely and often.

In science, an event did not happen if you did not write it down; in an organization, the same is true if you don’t tell people about it.

5. Spend 70 percent of your staff and budget on awareness and training for all staff.

A custom training curriculum for administrators, general staff, managers and executives is cheap when compared to the benefit to the company. You can measure your effectiveness through social engineering tests like fake phishing scams and vulnerability testing.

6. Train the organization’s IT staff in the ways of information security.

If you and your team are gatekeepers on how to do things securely, you will never have enough people to do a good job and you will always be perceived as roadblocks. On the other hand, if you train the organization, they will come to you demanding better security.

7. Delegate information security responsibilities to IT.

A distributed governance model means that everyone involved owns a little bit of the responsibility for protecting your organization

8. Build an extended security team staffed with IT administrators and line managers.

Have them review information security policies, procedures and tasty issues that impact them.

9. Maximize efficiency.

Focus on initiatives where the amount of effort is small compared to the overall benefit to the company.

10. Work yourself and your team out of a job.

If you master this kata, your organization will become a true self-defending network. You can measure this by measuring how well your general staff answer two simple questions. 1) What is a security threat and 2) who should they contact if they notice one.

Mastering information security Judo requires a willingness to put aside the conventional wisdom on how to defend an organization. Don’t take my word as gospel, though. Consider the kata and then take a look at your day-to-day activities. Are you really improving the overall information security posture of your organization, or are you living up to Einstein’s definition of insanity?

That kind of evaluation is how I came to understand the terminal flaw in the Sumo approach.  I was up late one night raging about an ongoing battle that my information security team was fighting with an IT group, when I read a short article on incident response that struck a chord so pure that it shattered my preconceived notions about information security. The writer simply stated that an incident handler would fail if the people in IT distrust, dislike or despise them. I could not argue. In fact, it remained true when applied to every aspect of information security. It became clear to me that information security Sumo invariably led me into the path of an oncoming freight train or the middle of a minefield.  Well, I could not just put the cat back into the bag, so I began looking for an alternative. The kata of information security Judo was not the product of profound inspiration; it has been assembled through trial and error with many false starts and much pain and anguish.

This article is not intended to be an exhaustive treatise on information security Judo, so I will spare you the lengthy list of comparative examples between Sumo and Judo. Instead, I will give you one example of how to address a common issue by following the kata of Information Security Judo.

How many times have you heard about, seen or been involved in a heated discussion between the information security team and customers in response to an outage caused by a vulnerability scan?  Don’t be shy, raise your hand; you know it has happened to you. I bet it went something like this: the administrator is beyond angry after spending six hours troubleshooting the problem while their customers’ screamed bloody murder and escalated the issue like it had solid fuel rocket boosters attached. Then, in the end, they discovered the outage was caused by an unannounced network vulnerability scan. The match ends with  the information security Sumo champion emitting a deafening “Kiai,” or shout:

“Consider yourself lucky that we found that serious vulnerability in your service! Imagine how bad it would have been if an evil hacker did what we did.”

Followed by the ever so popular:

 “If your service had been patched and configured properly, it would not have crashed when we scanned it.”

Ending with the coup de grace:

“Now go away and don’t bother me until you have fixed your application so it does not crash when we scan it.”

I am not clairvoyant, nor a mind reader. I know this happens all the time because in chatting with friends, colleagues and associates in the industry, they too have heard, seen or participated in this crude drama. To be honest, I was once a true believer in the martial art of “Kiai” and its effectiveness in startling and demoralizing my opponents.

Information Security Judo Applied to Vulnerability Testing:

Step 1:  Stop the scanning!

Step 2: Assemble an extended information security team

Step 3: Prove to the team that, though dangerous, there is value in knowing what is vulnerable

Step 4: Implement a vulnerability assessment tool that administrators can use on their systems

Step 5: Teach them how to use the tool effectively

Step 6: Collaborate with the team to write a policy on how to test, announce and conduct scans

Step 7: Have the team approve and sign the policy

Step 8: Have the team present, promote and gain approval for the policy with senior management

Step 9: Follow the policy

Though the Judo path does not eliminate the possibility of causing outages by scanning systems, it greatly reduces the negative impact to clients, administrators and management. It also gives the administrators some control over the security posture of their systems. This is information security Judo exemplified, and in my experience, it delivers tremendous success in the real world.