“Only a Sith Lord deals in absolutes. I will do what I must.” ~ Obi-Wan.
Okay, I’m not going to lie. I’ve just heard the “I want 100% security!” phrase from someone who’s in charge of cyber security at an organization. I even managed to kind of keep a straight face as well (but inside I was dying a little and, at the same time, mentally falling off my chair laughing!). So, does the information security world owe a huge debt to the wisdom of Star Wars? And is there a way to improve your organization’s security approach and posture using the wisdom of Jedi?
Working in today’s security-focused world
In the technology and security world of today we have a huge range of complex factors to consider when designing a product, service, or enterprise as a whole. Security is most certainly a major part of this process. However, the real output from a service, say, should be value. And thus, service design requires the balancing of requirements, needs, wants, and constraints.
If you’ve read any of my blogs before, then you’ll know that I’m a massive advocate of ensuring organizations have risk appetite statements (and more). But for the purposes of this post I’ll assume that we don’t have too many specific guidelines/standards (which in my experience is common in many organizations).
I believe that it’s really important to be realistic, to be programmatic, and to understand that security is really about improvement, not perfection!
Don’t let perfect be the enemy of good
If you currently visit InfoSec Twitter-land you;ll see lots of conversations related to the Reddit breach about the effectiveness (or lack of) of SMS as a two-factor authentication (2FA) method.
Aside from the fact that SMS isn’t really 2FA in its purest sense, you need to think about the threat model and whether physical attack, SIM cloning, number transferal, etc. are in your model. Plus, whether their likelihood is going to mandate that you need to mitigate these.
Even if they are, surely, it’s better to have an authentication mechanism that requires a passphrase and a second stage (of a random number provided to you over a different channel) than, say, just requiring a password.
Now there’s a path we must acknowledge, some service providers let you do a password reset/recovery via SMS alone, but again someone would have to be specifically targeting you, with a far greater level of motivation than the mainstay “spray and pray” approach adopted by the majority of cybercriminal threats. So, we can see here that we need a certain mindset (and understanding of the threats, vulnerabilities, risks, and constraints).
Following the path of the Jedi
Okay, so the Jedi have their Jedi code, and if we’re going to be “Cyber Knights,” as opposed to Jedi Knights,” it would make sense that we also have a code. Luckily for me, someone has already helped on this front. enter the DevSecOps Manifesto!
- “Leaning in over Always Saying “No”
- Data & Security Science over Fear, Uncertainty and Doubt
- Open Contribution & Collaboration over Security-Only Requirements
- Consumable Security Services with APIs over Mandated Security Controls & Paperwork
- Business Driven Security Scores over Rubber Stamp Security
- Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
- 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
- Shared Threat Intelligence over Keeping Info to Ourselves
- Compliance Operations over Clipboards & Checklists”
To read more on the DevSecOps Manifesto, please go to: https://www.devsecops.org/
Do or do not there is no try!
Okay so Yoda and Obi Wan have a different way with words. However, I’m going to end this post with a five-point call to action.
- Do strive for better and improved security over trying to reach perfection
- Do ensure that you cover the basics
- Do focus on probable threats rather than focusing solely on edge cases
- Do collaborate, security is not a stick to beat people up with
- Do work with people to help educate them
I’m sure I’ve missed many more opportunities to link InfoSec and Star Wars. If you want to join in the fun, please leave me a comment below.