The Security Compliance Zombie

The Security Compliance Zombie

I recently had the opportunity to view a  webinar where the topic was how to stop what was referred to as “compliance zombies”. We have all seen zombie movies. Zombies, they are unintelligent existences that march straight forward, with no thought whatsoever as to what they are doing, to achieve a single objective. No thought. No deviation. Even if they are putting themselves at great risk.

Security compliance zombies do the exact same thing. They press forward with a set of vague guidelines just for the sake of being “compliant”, without really understanding what it is exactly they are doing and often, and without intent, putting their organization at risk. When it comes to security and compliance I believe a lot of us out there can relate to this type of zombie phenomenon and I am speaking from experience.

Several years ago, when it came to securing the environment I was responsible for, I found myself behaving the exact same way. Being the lone security engineer with the responsibility for ensuring several small networks were both secure and “compliant” with applicable industry security standards I found myself just pushing forward aimlessly. Mandating controls and secure configuration guides without REALLY thinking about what it was that I was doing. Implementing what I believe the controls were stating because, hey, I was the security guy. I am supposed to know it all, right?

I wish I could say that I realized right away just how wrong that mindset was. But if I did I would be lying. It took longer than I care to admit. But I am happy to say that it did all change for me one day when I was challenged by one of the system engineers on a specific control that I said had to be implemented. The particular control addressed object reuse and it stated

“…the constant reallocation of objects is a security risk because residual data may remain when the object is reassigned to a new process after a previous process is finished with it. Clearing residual data from an object before reuse assures that system resources, in particular storage media, are allocated and reassigned…”.

And do you know what that system engineer had to gall to ask me? He asked me “What does that mean and how do I apply it”? I will never forget that moment because I did not have a definitive answer for him. And to me, that was not acceptable. That’s the moment that I realized I was acting like a zombie and things had to change.

It took some time but I went back to my desk and I traced that control, Object Reuse, all the way back to the NSA’s Rainbow Books. Then I sat down with that system engineer and provided them with a thorough explanation of not only the meaning of the control but the complete history, purpose, and applicability of the control.

So, you may be wondering, what is the cure for the security zombie? First one needs to come grips with the following statement…compliance does not equal security. I know it may come as a shock to some but compliance is merely a snapshot of how your security program meets a set of general security requirements at a given moment in time. It does not mean your system or data are by any means secure. Next get ready to put in some serious work because it’s time to gain a thorough understanding of the data, systems, and technologies you are tasked to protect. It’s time to start reading documents like secure configuration guides (i.e. STIGs and ICS Benchmarks) and RFC documents all while you start to learn and understand things about your environment like who has access and where the weak points of the systems are.

Does this all sound familiar? Are you a security zombie? If so it’s time to cure yourself and your career of that dreaded disease. It’s time to begin to understand what threats and vulnerabilities are and which ones are applicable to your environment. It is finally time to put in the time and the effort to understand how threats, that are pertinent to your environment, operate so that you can finally start to design and build the proper defensive solutions.