Flashing 12:00:00

What the DVR can Teach Us About Information Security

Some of us are old enought to remember a strange phenomenon. You wake up in the middle of the night and discover that you are thirsty. You walk to the kitchen through the family room and suddently there is a strange flash of light, then it goes dark. Another flash, then darkness. Your senses are overloaded with this strange, slow strobe affect. Aliens? The police? No, it is just your VCR flashing 12:00:00.

While somewhat overly dramatic, the flashing VCR story is illustrative of a problem we find in many areas of life. The VCR or Video Cassette Recorder was a fantastic piece of equipment. You could not only watch pre-recorded movies, you could set up the device to automatically start recording at a specific time and on a specific channel so you never had to miss your favorite program again. There was only on problem. Nobody did that. The Video Cassette Recorder effectively became a VCP or Video Cassette Player. Why? Because in order to automate recording you needed to set the clock and setting the clock was neither intuitive nor easy. Then, when the power went our or the device got unplugged, you needed to do it all over again. Rather than deal with all of that, we just let our VCRs flash 12:00:00 and used it to watch pre-recorded movies.

Then came the Digital Video Recorder or DVR. This new era VCR gave us a better way. You didn't need to set the clock. In fact, you didn't even need to know what time your program started. The DVR made television watching simpler. What was complex became easy.

In the world of information security we have been searching for a better way for years. We have tried to find the silver bullet technology (I have a firewall so now I'm secure) and we have tried technology overload (I have a firewall, IDS, IPS, AV, DLP, WAF, etc. so I am now secure). We have tried focusing on achieving "compliance" and we have inundated our companies with policy. None of it has worked. We need a better way. We need a simpler solution. Fortunately the answer is here - the 20 critical secruity controls.

The SANS 20 Critical Controls are an easy to understand set of security objectives that are designed to be actionalble, implementable, measurable, auditable and able to be automated. They don't focus on drafting tons of policy documents (I've never seen a document stop a breach) but rather focus on real controls that have been proven to stop real attacks. In fact, unlike many other standards and regulations, the 20 critical controls were created by looking at the methods hackers actually use; letting offense guide defense. Best of all, the 20 Critical Controls can be scaled to fit in virtually any size organization, from the smallest shop to the largets enterprise.

If you are looking for a better way to do information security, if you are looking for the DVR instead of trying to fight the VCR, check out the SANS 20 Critical Controls.


If you want to learn about these controls in detail, you can check out the upcomming classes offered in Austin and in Washington, DC:

SEC566: Implementing & auditing critical security controls - Washington, DC