证明不一定能衡量你的防卫姿态

An 根据定义，证明, is an indication that makes something evident. In the case of the security, specifically security programs it means to certify in an official capacity.

People often ask me what makes a good security program. As much as I would like to point to one aspect of my security perimeter to use as an example, there are multiple items to highlight. ǞǞǞ industry relies on attestations and certifications to measure your security defenses. Engineers and operators will tell you that your actual security perimeter and threat assessment capabilities define your security program. I will tell you it is both compliance attestations as a measurement and the operational capabilities of your security team that define your program. Though attestations alone are not an accurate benchmark to measure a program.

Attestations are an industry necessity to ensure compliance with federal, local and state statutes as well as industry best practices. ISO, NIST or DoD standards form the baseline of most attestations. NIST, for example, publishes a set of standards and technical guides to help organizations build perimeter defenses that are “acceptable” 到 government. As I will outline however, just because the standards are set doesn’t mean implementation is always stellar.

部署一个工具并不意味着它在提供价值

控制措施允许在实施和业务增长方面具有灵活性，并随着时间的推移进行创新。不幸的是，一些组织利用这种灵活性来勾选方框，但却没有真正的防御措施。

这个问题的一个典型例子是入侵检测/保护系统（IDS或IPS）。像病毒扫描器一样，大多数组织投资于IDS/IPS，作为一个标准的安全实践，以防止恶意流量和数据外流。该行业充满了制造各种形式的IDS/IPS系统的供应商。然而，一些组织建立系统而不是购买。

I recently left one such organization that “built” their own intrusion detection system from open source tools. Auditors were told the system was a “fantastic tool”, and even given examples of traffic. When I dug deeper into the telemetry the tool was providing, I realized that traffic was not being analyzed at all. Rather, passing through the sensor as it was not configured to capture any traffic or alert at all. Furthermore, the credentials used to administer the tool were set up by a previous employee and were never updated after his departure. So essentially, the tool was sitting idle for months without any human intervention. Not only does this put the company at risk, but it also compromises the perimeter.

一个精明的审计师不会发现这个问题，因为认证并不寻找所有系统的 "运行 "信息--标准实际上是一层层的问答。事实上，大多数证明只是衡量工具是否存在，而不是操作的可行性。此外，大多数审计师的技术水平不足以辨别一个功能性的IDS/IPS和非功能性的IDS/IPS。审计的主要内容是依靠公司把他们最好的一面展现出来，而不是回答棘手的问题。审计员在审计过程中还必须涵盖大量的控制措施，所以时间是影响他们分析质量的一个重要因素。

仅仅一个证明就可以告诉你，一个公司有一个成熟的安全计划和控制措施。要求一个潜在的合作伙伴完成供应商调查也不会给你带来信心。调查只是以不同的形式概述了相同的信息。那么，你如何评估一个成熟的安全计划？

评估整个云安全计划

首先，你应该至少审查证明和调查结果报告，而不是执行摘要。这将为你提供一个由第三方审查的项目概况。第二，你肯定应该审查该公司是否接受了第三方渗透测试或漏洞赏金计划。就我个人而言，我不喜欢漏洞赏金，但我喜欢每年进行的第三方渗透测试。渗透测试为你提供了对你的防御系统的结构化测试和对漏洞的真实反馈。最后，审查公司所使用的安全文件（通常是目录），作为实施的基础。这包括（但肯定不限于）安全政策、事件响应和漏洞管理。一个有经验的安全团队会提出分享这些文件和工件，作为正常业务的一部分。

I make it a matter of course to evaluate every vendor and partner from the perspective of access to company data. Meaning if the partner or vendor manages company data, they’re subject to more scrutiny than a vendor that does not. Keep in mind the business purpose when evaluating a security program. I review the business purpose and type of information involved, then evaluate from that perspective, rather than handle all partners and vendors the same. When in doubt, always ask for more information.