I’m going to play devil’s advocate again as I ponder a point. Roll with me here. I’m slightly conflicted.
Jeff Hayes blogged about an interesting encounter in a sports bar he had with the head of physical security for an international accounting firm. It turns out that as part of a casusal conversation, this person disclosed some very interesting facts about his company’s security:
It turns out this guy handles physical security for a major
international accounting firm. He travels around North America doing
premises and access control assessments and deployments. He described
to me, without me asking specific questions, the technology they use,
the problems they deal with including the push-back they get from each
office complaining about burdensome security, their budgets, his
working environment, how he moved up the company ladder and his
qualifications or lack thereof, and a number of other tidbits that
would prove valuable to anyone doing surveillance.
It would appear that this guy had one too many and the apparent level of detail disclosed seems excessive. Jeff’s point about confidence and accelerated reconnaissance for targeted profiling seem to be quite relevant in this scenario. This person was being reckless and was potentially endangering his company.
However, let’s look at this a little differently to illustrate a counterpoint.
This encounter sounds like what many of us read and talk about under the guise of non-attribution at many of the security forums and "professional" security gatherings we attend and participate in with our "peers." You know the ones where we all sit around, hoping that the badges actually represent the fact that the organizers have appropriately vetted and authenticated that the person wearing it is who they say they are…
Moreover, it sounds a lot like the conversations at the bar after said forum roundtables. We share our collective experiences in order to gain insight and intelligence so we can improve our security posture, accelerate our intelligence on short-listing vendors and not make mistakes by learning from others.
How about those Visio diagrams you show on the whiteboard to VARs when they send their SE’s in for work and pitches?
It gets even more interesting when you have CISO’s/CSO’s (like I do) talk to the press and do case studies describing technologies and solutions deployed. Some CISO’s don’t mind doing so after making a tactical risk-based decision that what they reveal does not expose the company adversely. Others simply don’t talk at all about what they do.
I understand there exists the potential that by disclosing that you use
vendor ABC or technology XYZ that someone could exploit that knowledge
for malignant purposes. I suppose this is where the fuzzy area (I’m sorry Mr. Hutton!) of
thin-slicing and quickly assessing risk comes into play. What is the likelihood that this
information when combined with a vulnerability (in policy, architecture, deployment) in the presence of a
threat might become a risk to my company?
I use Check Point NGX R65. I run it on a Crossbeam X-Series. It filters a bunch of packets. I use Cisco routers. Is that information you couldn’t have found out with a network scan, fingerprinting and enumeration? Have I made your job of attacking me orders of magnitude easier?
Ah, the slippery slope is claiming me as a victim…
Have you seen the Military Channel? I watched several fantastic Navy/Marine-sponsored documentaries on Carriers, NextGen APC’s, new weapons systems…all of which are deployed. Is Al Qaeda now in a more advantageous position because they know how the de-desalinization plant on a fast frigate functions?
Everyone in a company is both a sales and marketing rep as well as a
potential security breach waiting to happen. Most businesses like
people to present their company in a good light. We want people to know
that we work for a good employer. What we don’t want people to do is to
tell others how crappy our employer is. Likewise, we probably don’t
want our security personnel describing the details of our security
systems, policies and procedures.
So Jeff’s right, but I guess that depends upon the level of "details" he’s referring to? Is Jeff’s point still valid when we’re talking about a breakfast conversation at an Infragard meeting? How about the forums over at SecurityCatalyst.com? There’s that level of trust and judgment factor again. How about an ISAC gathering? Aren’t we all supposed to share knowledge so we can help one another?
Where do we draw the line as to who gets to say what and to whom? Those policies either have to get really fuzzy or very, very black and white…which goes to Jeff’s point:
Loose lips have been known to sink ships; they can also hurt organizations.
Yes they have. They’ve also been known, when appropriately pliable with a modicum of restraint, to float the boat of someone whose time, energy and budget you’ve been able to save by sharing relevant experience. Let’s be careful not to throw the baby out with the bilge water.
So, how do you establish "trust" and assess risk before you talk about your experience with technology you’ve deployed or are thinking about deploying? What about policies and procedures? How about lessons learned?
Obviously anybody who answers is not a true "security guy" 😉
/Hoff
Recent Comments