I got a F#@!ing Speeding ticket

40MPH in a 25MPH zone. I did it, I was speeding. I was in a hurry and I was trying to get around some cars that were getting backed up behind someone who was turning, and I got caught. 

I am not here to complain about the police, he got me, fair and square. $210 ticket with the 4 hour safe driving course. What I did want to talk about is unintended consequences.

I received a ticket for 15 MHP one the speed limit, but for the most part everyone drives between 30 and 35 on this 4 lane stretch of road. Were the limit on this stretch of road to be what most people travel at, I would have only been going about 5 over.

For the most part, speeds of 30-35 MHP are generally tolerated. There is no reason the limit couldn’t be 35, but I think they fear if they changed it to 35, everyone would regularly drive 45. I find most roads to be like this, the limit is artificially low to get everyone into a general range of a safe speed.

We have all become accustomed to exceeding the limit by a socially accepted amount. If you drive the actual speed limit you get nasty looks and honks. Adjusting these limits to what they should be is tricky, because you need to change a lot of behavior and a bunch of social norms.

Complex, dynamic systems are hard to control, and when you try to, often times you end up in a worse place than when you started. This is true of computer systems, the economy, healthcare, etc. Security is a great example of this. 

Over the years, we have seen the rise of a lot of compliance and regulatory standards. In general, these efforts have been good. Sarbanes Oxley, PCI, Webtrust, FFIEC, etc. have all forced businesses to generally operate more responsibly by making them spend time and money on things they had previously ignored.

I have lived through many audits in my time. Compliance standards vary greatly, some are prescriptive, like PCI and ISO 270001, and some are not so much like Sarbanes Oxley and SSAE 16 SOC2 allow you to set your own controls. Controls are the standards by which an organization evaluates its compliance. You can have a company that adheres tightly to its controls, but those controls may themselves be weak and ineffectual. When evaluating a company’s SOC2, it is important to evaluate its controls as well. 

For many of these compliance frameworks, They are a snapshot of a point in time, like PCI, while others are evaluated over a period of time, like SOC 2. Even though a PCI audit is a snapshot in time, when things change, you make a change to a firewall, you are supposed to re-audit to make sure you are in compliance. However, in in the real world, much like driving the speed limit, this rarely happens.

For things like PCI, you have very specific requirements you need to fulfill. This is not always practical for every environment for many reasons. Sometimes it is impossible to satisfy competing requirements. Sometimes, legacy products lack the required features or functionality. Sometimes upgrades are required, but those upgrades break other things. Sometimes certain architectures have security features built in that are different than the standard prescribes and it would break security to be in compliance.

This is where we get into the world of compensating controls. Compensating controls allow you to put in place different policies, procedures, or tools to compensate for what is missing. For example, you may have a system that has telnet on it, which is forbidden, but that system may be completely air-gapped, or not connected to anything and locked in a controlled room. That would be an adequate compensating control most likely. Of course some of this depends on your QSA or Qualified Security Assessor and how they would interpret the situation.

Where the problem can come in is when you start adapting a lot of compensating controls. Often times, these require manual interventions, and extra steps, strange architectures or tools put in place. At some point the compensating controls themselves can create security problems. I have seen this happen many times over the years. In pursuit of compliance people often compromise security. Remember that most problems are the result of people making mistakes. Just like with high availability, the more complex a system grows, the more unpredictable it typically becomes. The more unintended consequences you experience.

With the implementation of GDPR (General Data Protection Regulation) I see a lot of sites asking me to click on a button saying I accept the fact that they use cookies. This is a terrible idea that greatly reduces security. For the most part, we are all aware that sites use cookies. What this practice does is desensitize people to clicking buttons on random websites just to get rid of annoying boxes. This is training people to adopt very bad behavior, and it will likely come back to bite us all with future exploits.

This is why it is so important to design security into the system from the start, with a focus on simplicity. As systems have become more distributed, and complex, we are solving for many of the availability and maintainability challenges, but security still remains a very difficult issue. 

Thanks for watching, I would love to hear your thoughts in the comments, and if anyone knows a good lawyer let me know. Please like, subscribe and hit that bell for notifications. I will see you in the next video.