Let a Hundred Flowers Blossom

I undergo some of us impact in large, diverse organizations. The large or more complex the organization, the more arduous it is to oblige homogenous section countermeasures. The large the population to be "secure," the more probable exceptions module bloom. Any accepted tends to worsen to the small common denominator. There are whatever exceptions, such as FDCC, but I do not undergo how distributed that accepted plan is inside the government. Beyond the difficulty of applying a uniform, worthwhile standard, we separate into the heterogeneity vs monoculture discussion from 2005. I separate to lateral with the heterogeneity saucer of view, because heterogeneity tends to increase the outlay borne by an intruder. In added words, it's cheaper to amend utilization methods for a direct who 1) has generally similar, if not identical, systems and 2) publishes that accepted so the entrant can try attacks preceding to "game day." At the modify of the day, the focus on homogenous standards is a dissent of the effort between digit schools of thought: Control-Compliant vs Field-Assessed Security. The control-compliant aggroup believes that nonindustrial the "best standard," and then applying that accepted everywhere, is the most essential characteristic of security. The field-assessed aggroup (where I devote my effort) believes the result is more essential than how you get there.I am not anti to nonindustrial standards, but I do conceive that the control-compliant edifice of intellection is exclusive half the effort -- and that controls occupy farther more instance and try than they are worth. If the accepted whithers in the face of battle, i.e., erst field-assessed it is found to be lacking, then the accepted is a failure. Compliance with a unsuccessful accepted is meritless at that point.However, I'd same to propose a variation of my example argument. What if you desert homogenous standards completely? What if you attain the focus of the state field-assessed instead of control-compliant, by conducting assessments of systems? In added words, let a hundred flowers blossom.(If you don't appreciate the irony, do a little research and remember the sorts of threats that occupy such of the instance of some this blog's readers!)So what do I mean? Rather than making compliance with controls the focus of section activity, attain categorization of the results the priority. Conduct chromatic and flushed aggroup assessments of aggregation assets to watch if they meet different resistance and (maybe) "survivability" metrics. In added words, we won't care how you control to ready an entrant from exploiting your system, as daylong as it takes individual for a chromatic or flushed assesor with instance X and skill take Y and initial admittance take Z (or something to that effect).In such a world, there's plenty of room for the person who wants to separate Plan 9 without anti-virus, the person who runs FreeBSD with no graphical display or Web browser, the person who runs added "nonstandard" platform or grouping -- as daylong as their grouping defies the field categorization conducted by the chromatic and flushed teams. (Please state the digit "standard" I would administer to every assets is that they 1) do no harm to added assets and 2) do not fortuity some laws by streaming illegal or unauthorized software.)If a "hundred flowers" is likewise radical, maybe consider 10. Too thickened to control every that? Guess what -- you are probable managing it already. So-called "unmanaged" assets are everywhere. You probably already have 1000 variations, never nous 100. Maybe it's instance to attain the system's inability to survive against chromatic and flushed teams the measure of failure, not whether the grouping is "compliant" with a standard, the measure of failure?Now, I'm trusty there is probable to be a broad honor of reciprocity between "unmanaged" and undefendable in some organizations. There's probably also a medium honor of reciprocity between "exceptional" (as in, this incase is likewise "special" to be thoughtful "managed") and vulnerable. In added instances, the exceptional systems may be colorfast to every but the most sacred intruders. In some case, accepting that heterogeneity is a fact of life on modern networks, and determining to try the status take of those assets, might be more productive than seeking to amend and administer homogenous standards.What do you think?Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)