Thursday, July 31, 2008

Just buy this and you're Compliant!

Does this really work on anyone?

To a lesser extent this one:

Now, I know they aren't coming right out and saying it but it is implied at the very least. The reality is compliance and risk management are hard. Its not what you want to hear. But we will take me as an example: I have an Ubuntu laptop, Windows XP in VMWare), my wife has a MacBook Pro, we have a Windows 2003
server, a Fedora Asterisk PBX/MythTV box and a wireless network.

I spent the last two days attempting to practice what I preach. I have found that even with this small setup it is challenging. Granted, I am running 5 different operating systems. But even if you take away the Mac (which I did, because she wouldn't let me touch it) I still spent a couple hours analyzing myself. The Windows server and virtual machine were quite a distance away from FDCC / SCAP Beta compliance. The SQL server instance on the server and MySQL on the PBX were laughable at best. All in all, without spending too much effort, I would give myself over 100 findings and about 15 - 20 highs, best case (and being creative with combining vulnerabilities).

Here it comes ... my main problem is the operations and management of these systems. No CM, no security analysis before changing things, constantly chasing my tail trying to remember what I did. Poorly documented accounts, inconsistent security policy, no backups, little regard for how equipment is acquired, no regularly scheduled vulnerability assessments or pen tests, the list goes on.

So, what do the "products" suggest I do? Fix ten of my technical problems that I found with a simple VBScript and MBSA. And now I'm compliant. I think not.

Compliance is not easy, it comes from detailed policy and procedures, creating and executing a plan, assessing the residual risks and managing those risks. No product is going to give you that. Can they help you, sure. But they aren't the silver bullet to compliance.

1 comment: