In the first part of this series, I began by explaining that the topic came from a reaction I had to a quote from Robert Carr the CEO of Heartland.  The underlying premise of the quote was built on the assumption that Heartland was PCI DSS compliant therefore they should have been secure.  Anyone who has read this blog won’t be surprised to hear that I don’t agree that compliance can be equated to in any way to how secure a network or system is or isn’t. 

As I milled this over an analogy came to mind.  It was that Information Security is a lot like professional cooking.  Part One basically set things up and this part (Part Two) will begin the analogy by showing how standards are a lot like professional recipes.  In Part Three I will broaden the image by relating what we do to working in a professional kitchen.

As some of you know when I first graduated from college I went to culinary school.  The school I went to focused on technique and we spent every day in the kitchen learning and refining what we have learned.  I went on to work in some fine dining restaurants and while I later came to the realization that life in a professional kitchen wasn’t for me, I learned quite a few life lessons during that experience. 

Getting back to the that standards are much like recipes, let me share with you one of the base recipes from my time in culinary school:

Mediterranean Fish Soup

(Serve with rouille on croutons)

Olive Oil

Scallions – FC

Onion – C

Garlic – FC

Tomato – C

White Wine

Fish Stock

Season

Saffron

Thyme

Fish in 1” pieces

(Salmon, Red Snapper, Scallops, Clams/Mussels, etc)

 

That’s it.  Most professional recipes are like this one.  Some even have less detail.  Now if you know what you are doing then this is really all you need. 

The Chef who taught me to cook was from France and he taught us as he was taught.  No recipes – just technique.  We didn’t have recipes, cook times, or for the most part cook temperatures (Pastry and baking is a whole different world.  In order to do pastry and baking you need all of those things.  I’m talking savories not pastry and baking.)  When asked how long to cook something Chef’s response was: “Until it’s done.”  When we pushed him further he told us to start cooking and we would see. 

What he didn’t want us doing was blindly following a recipe.  He wanted us to think about the food; how it was cooking; what was happening in the pan; how this flavor blended with that one; how they blend differently depending on the cooking technique being used, etc

By teaching us the technique he was developing in us the skill to understand how different ingredients interact to create a dish.  We could then experiment to create our own dishes and creations (later outside of class of course). 

Now standards (such as PCI, HIPAA, GLBA, FISMA, DIACAP, etc) are very much like professional recipes.  Some have more detail than others but they are a basic set of instructions and all imply a certain baseline of knowledge to make heads or tails of them. They take someone with skill to apply them if they are going to result in something.  And by something I mean a soup that is so memorable that it brings you back to the restaurant time after time. 

Take the above recipe.  If you throw everything that I listed in a pot and cook it you’ll end up with garbage (much like blanket applying a standard or baseline set of controls).  The vegetables will take longer to cook than the fish.  Some fish will take longer to cook than other fish.  So you could end up with a soup with overcooked mushy vegetables and fish that will range from being overcooked to raw. 

Here’s the thing: you followed or rather were “compliant” with the recipe but you still ended up with garbage (or at least not something worthy of a fine dining restaurant).  Sound familiar?

Put this recipe in the hands of a trained/experienced cook however and you will have something. (WARNING – minor digression here.  We throw around the term “Chef” too loosely in this country.  There is really only one Chef in a kitchen – everyone else is a cook.  IMHO, you must earn the title “Chef” and shouldn’t get it just because you put on a white jacket and stand next to a stove.) A trained/experienced cook will take the finely chopped scallions and onion and sweat them down in a little olive oil. Just as they are tender and translucent the garlic will be added for a minute or two – that way it doesn’t burn.  Next in will be some chopped and seeded tomato.  This will be cooked down until the pan is somewhat dry but the tomatoes are moist.  At this stage you’ll need to keep your eye on the bottom of the pan.  You are looking for a little caramelization of the sugars from the scallions, onion, garlic and tomato to occur.  Don’t burn it though.  As the caramelization occurs, add in some white wine to deglaze the pan.  When that cooks down to the point that it is gone, add the saffron followed by the fish stock and some fresh thyme. 

Now you have your fish soup base.  To this you will be adding several types of fish/shell fish.  The problem is that even though you will cut them all to the same size, they won’t all cook the same.  Some will take longer than others.  Here is where experience comes in again.  What some people do is that once they have a huge pot of the base, they take a cup or two of it and put it in a smaller pot or pots.  They use these pots to cook the fish to order and return the cooking liquid back to the soup base after each go.  That means that the base will pick up the flavors and oils from the fish and actually get better throughout the night.  The base is kept at a simmer all night too so you can quickly cool it down and refrigerate it for use the next day too.  

Now in this analogy the cook was able to use the elements of the recipe to create a pretty good basic fish soup.  Can you alter the ingredients to create something else – of course you can.  You can substitute shallots for the onions and some of the garlic.  You can add in Leeks or other vegetables too and you would treat them slightly different depending upon how the soup was going to be served.  I won’t go into all that here as I’ll get too far away from the analogy but once the basic technique is learned a lot can be done from that basic starting point.

That is what standards are – basic starting points.  In the hands of a skilled professional they can take us a long way towards securing our networks but they are by no means an end unto themselves. 

Now that I’ve run a bit long on that I’ll wrap this up by saying that now that we have an idea how standards fit into professional cooking we can move on to how managing security in a network is akin to professional cooking.  That will be next time of course.

Tags: culinary school, Heartland Payment Systems, information security, L'Academie de Cuisine, Mediterranean Fish Soup, PCI DSS, professional cooking, professional kitchen, recipe, Robert Carr, standard

I’ve been a bit lax with the blog lately and for that I’m sorry.  The reason will be clear in a few weeks when I hope to be able to make an announcement.  For now though I’d like to just provide my apologies.

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

Tags: Compliance, CSO Magazine, Data Breach, developers, Heartland Payment Systems, information risk management, insider threat, PCI, PCI DSS, professional cooking, professional kitchen, QSA, recipes, risk management, Robert Carr, SQL Injection, standards