So a few years ago, I'm sitting at my desk and the mail cart rolls by and a box gets dropped off at my desk. Strange. I hadn't ordered anything and wasn't expecting anything in the mail. It's a about an 8"x8"x8" cardboard box and I didn't recognized the address on the label, from somewhere in California. Ok, let's tear this puppy open and see what it is. And I pull out a black tee-shirt and on the front in white silk screen is the XKCD Sandwich comic.
Ok, that's cool. But where the heck did this come from? A few hours later that same day, I'm on the phone with one of my favorite customer support reps at Rapid7, and he says, "So how do you like shirt? You're a linux guy, right?" Now that's funny. I'm really not 'a linux guy'. I can eventually find my way around when I have to, but certainly not an expert. I still wear the shirt around the house, and I think my lovely wife hates it. She is not a techie, and she doesn't get the joke. Anyway, where's my sandwich?
The sad part of this picture is that most InfoSec people carry this same stigma portrayed in the comic about being some overbearing, demanding, I've-got-an-InfoSec-pwn-your-system trump card up my sleeve sort of jerk. I get it, I can be the same way. It is easy to rant and rave about how badly everyone is doing their job and how well I'm doing my job of ranting and raving.
When it comes to InfoSec, there is no silver bullet. Wouldn't it be nice (in terms of security for the general population) to simply say:
user@terminal$ sudo implement-security --now
[sudo] password for user: ********
And then be done with it? Sure all the folks in InfoSec would have to find another line of work, but think about all that extra time you would have to fill since you aren't responding to incidents (and nothing to rant and rave about in the echo chamber).
So the real key to success, and part of the reasons for picking the SudoSec handle is this...
1. Principle of Least Privilege
The reason for having the sudo command in the first place is because you aren't root. Sure you can (ab)use the sudo command and do anything you want and act as if you were root, but you aren't. Before ranting and raving, perhaps it is worth checking whether you personally have the correct access/permissions/rights to rant and rave? The sudo command helps restrict access down to something like least privilege. The 'Principle of Least Privilege' should apply to our roles in life and not just our interactions with the keyboard and screens on our desks. Then when an important issue/need arises, think of the sudo command as having the ability to take initiative and to address the problem, but also asking permission to respond with the commands needed to actually implement a solution.
user@terminal$ sudo cat i.told.you.so | cut -d arrogance > helpful.solution
2. Defense in Depth
I know so many people in Information Technology jobs that are completely stuck (or in their eyes, content) in their one little corner of the universe. Be it a typical systems administrator or applications developer or network engineer or help desk specialist; these people are usually very good at what they do. Some of them I consider to be experts because of the depth of knowledge they have on the inner workings of their particular [insert system/application]. But many of them are clueless about how their system/application/role interacts with other systems/users/employees/customers. Isolated silos of knowledge, no matter how deep that pool of knowledge is, does not make for depth of knowledge for the organization. In the same way that proper defense in depth for security requires layered controls, having an understanding of the dependencies among systems, the data flow of those systems, and the process flow of who interacts with that data are the layers of understanding that truly differentiates the average admin type from the superstars that I want on my team when a real incident arises.
user@terminal$ sudo chmod u+superstar *
No comments:
Post a Comment