Risk

12/8/2017
10:30 AM
Chris Nelson
Chris Nelson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Slugs in a Garden Can Teach Us About Security

Design principles observed in nature serve as a valuable model to improve organizations' security approaches.

Next year marks the 40th anniversary of a book that changed the world: Bill Mollison and David Homgren's Permaculture One, which described a set of agricultural and social design principles that mimic the relationships found in nature.

"In practice, permaculture is a growing and influential movement that runs deep beneath sustainable farming and urban food gardening," Michael Tortorello wrote in The New York Times. "You can find permaculturists setting up worm trays and bee boxes, aquaponics ponds and chicken roosts, composting toilets and rain barrels, solar panels and earth houses."

What does this have to do with information security? I believe there's remarkable synchronicity between permaculture and security and that the use of design principles observed in natural ecosystems can serve as a valuable model to improve organizations' approaches to security.

Think about the challenges of protecting an enterprise: lack of resources (people, technology, budget, or any combination thereof), competing priorities, balancing compliance requirements and business needs, awareness and training, enforcing policies and standards. 

It's an environment well-suited for the application of permaculture principles, which focus on harmonious integration — working with, rather than against, nature — and embracing collaboration over competition. Permaculture, a portmanteau of "permanent agriculture," embraces three basic ethics: care of the Earth (or, in this case, the system), care of people, and reinvestment of the surplus.

These three ethics guide 12 design principles that can be as useful in setting up and administering security systems as in agriculture, but we don't need to go that deep in the weeds here (pun intended).

It's also useful to think about the six permaculture zones and how they can be used to prioritize work. Permaculture zones are used to organize design elements based on frequency of use or need. The lowest number (0) denotes the most frequently touched, while the highest (5) is equivalent to wild land, requiring no human effort to produce anything.

How do security concepts line up with this zoned approach? For the purpose of illustration, let's assume the following: You receive 25 to 50 alerts from your intrusion detection system (IDS) per day. You update your malware system or respond to alerts 10 times per week. You review VPN logs once a day. And you deploy code once per day, with integrated static code analysis.

Using this information, you can begin to align your tools with specific zones: IDS is in Zone 1 because these alerts happen frequently and are a strong indicator of compromise but don't involve much interaction time. Malware issues have a pattern similar to IDS alerts, but the incidents are less frequent, pushing them out to Zone 2. VPN log reviews and static code analyses fall into Zone 3, thanks to less-frequent occurrences but a need for greater human intervention during such occurrences.

These are not hard-and-fast rules. If you do multiple code commits per day, for example, static code analysis would fall into a lower-numbered zone. Essentially, zone alignment is based on the number of times you need to touch the security control. It's a great way to begin the application of the design principle — from patterns to details.

Some additional practical applications of permaculture in security:

The problem is the solution. Slugs are a problem in the garden. But if you add ducks, the slugs become a food source for them. And then the ducks provide eggs. In technology, an equivalent might be the training opportunities that arise when software developers deliver code that has vulnerabilities. By identifying vulnerabilities committed at an individual developer level, you can then tailor specific training material toward that user. This reduces the burden on the whole team, because they avoid mandatory training on material for which they've already demonstrated competence. This is a challenging concept for some people — whether something is positive or negative is entirely determined by how you view it.

Get the most benefit from the least change. In the physical world, a dam site might be chosen because it delivers the most water in relation to the least amount of earth that has to be moved. In the IT security world, an equivalent goal might be to remove admin rights from workstations, thereby immediately dropping the percentage of malware infections. This is a single action that can have a far-reaching positive effect on an entire organization.

Seeking order yields energy. Disorder consumes energy to no useful purpose, whereas order and harmony free up energy for other uses. By embedding operations staff into development teams, for example, you can avoid inefficiencies caused by engineers attempting to simultaneously manage systems while writing code.

Learn to harness natural cycles. Every cyclical event increases the opportunity for yield. Consider the software development life cycle and the plan-build-run model: both are examples of technological cycles that can make identification of IT security defects easier by coupling different tools to disparate stages.

Permitted and forced functions. Key system elements may supply many functions. However, if you force too many functions onto an element, it will buckle under the weight. Order is achieved by balancing simplicity and complexity.

Work with nature rather than against it. Pesticides destroy beneficial as well as destructive insects; the following year brings an explosion of pests because there aren't any predators to control them. If your security controls cause inconvenience to your users, they'll bypass them. When we build IT security policies and controls that function within the flow of the organization, enhanced security is the natural outcome.

Despite our many attempts to disrupt her, Mother Nature has been managing the world pretty efficiently for many millions of years. Permaculture reminds us to listen to what she tells us and apply this insight across every aspect of our lives. The lessons for information security are dramatic.

Related Content:

As Senior Director of Security and IT at Distil Networks, Chris Nelson leads the security and compliance initiatives across the organization by the use of permaculture for design of policy, standards, audit, and risk assessment. He works with customers, partners, and internal ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
The Browser Is the New Endpoint
Rajesh Ranganathan, Product Manager at ManageEngine,  10/23/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.