Thursday, December 21, 2017

Frameworks, Frameworks, Everywhere!!!...

- but not a component to spare???

It seems recently that everywhere I turn, at work, on the interwebs, and in research, I see the word FRAMEWORK sticking out in bold text with neon arrows.

Two examples of this that really stick out in my mind at the moment are that of:
1) at work, someone has asked for a framework-based checklist to use in verifying that ALL security controls have been included in contracts, implemented by vendors, and verified by assessments. (umm...would one checklist really provide a strong feeling of security through ALL of these processes???)
2) in some recent research I've been doing (taking all of my free time), I've read over 30 papers regarding cyber security of part of the IoT world and they all mention...FRAMEWORKS. Except...and here's one aggravation, none of them really make any proposal to this end.

So these got me thinking, as cyber security peeps, are we asking the proper questions? I mean, are we asking ourselves the proper questions before we shout these questions and "solutions" to the world. Or are we, true to what seems to be the norm, making knee-jerk reactions and suggestions without thinking them through? Better yet, are we looking for any evidence that someone just may have already had the thought? I feel like smart-phone IDS's may fall into this bucket.

I've seen for a while now the presence of IDS's in the marketplace for my phone. Now, as someone who loves IDS's and has worked more than one day on more than one type, I wonder if anyone asked the simple question: "To what end?" Seriously, is the average user going to know what to do if their Android screen shows a popup stating "Possible Mirai Botnet Infection Detected." Or will they just click "OK" and forget about it within five minutes? I don't know but I don't think we can start counting on individual users to form some sort of Ad Hoc Security Operations Center.

I don't know if we need yet another Framework, or another Model, nor even another Paradigm. What I do know is that we need to apply common sense the advice we are giving our management. We need to further flesh out our ideas, do the research, and play our own devil's advocate to our suggestion. And all of this should be done BEFORE we open our mouths to our management and customers.

In short, I think we continue to over-complicate our own lives and efforts. Instead, let's get back to some of the basics...
   - Defense in Depth
   - Examine RoI
   - Perform a realistic Risk Assessment
   - Compose a realistic Threat Model
   - Learn new things Every Day!!!
   - Have FUN!!!

No comments:

Post a Comment