For Want of a Patch
For Want of a Nail
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
Taken from Wikipedia https://en.wikipedia.org/wiki/For_Want_of_a_Nail
"For Want of a Nail" is a proverb, having numerous variations over several centuries, reminding that seemingly unimportant acts or omissions can have grave and unforeseen consequences.
In my version, I have taken the proverb and applied it to cybersecurity.
For Want of a Patch
For want of a patch the application was lost.
For want of a secure application the host was lost.
For want of a secure host the segment was lost.
For want of a secure segment the network was lost.
For want of a secure network the data server was lost.
For want of a secure data server the critical data was lost.
For the loss of the critical data, the company was lost.
And all for the want of an application patch.
They say a Blue team has to do everything perfect, and a Red team only has to find one mistake. When it comes to security frameworks IT defenders often don’t know where to start and don’t understand why some controls are necessary.
I take a different approach to illustrate why it is necessary to have all the controls. I use a version of “For Want of a Nail” that I created, “For Want of a Patch”, to walk practitioners through an attack, so they have something to hang the controls on. This approach yields a better understanding to security in depth and allows everyone to understand why each control is important.
In my presentation I walk through what we can learn from the PCI DSS in protecting computer systems in general, not just Credit Card Systems. By using each sentence of the proverb “For Want of a Patch” I focus the discussion on what can be done to protect your assets using the PCI DSS as your security framework.
For example, solving the first line in the proverb; patching the PCI DSS is very prescriptive. The controls in: 6.2, 6.3, 6.4, 6.5, 10.8, 11.2 can help a practitioner focus resources to better their security posture.
6.2 – install critical patches with-in 30 days, install all patches on a regular bases
6.3 – develop software using standards, include security awareness and protections through the process
6.4 – follow a change control process; keep testing and production separate.
6.5 – make sure you cover the OWASP Top 10 in your testing cycle – at a minimum.
10.8 – Implement timely detection of security failures.
11.2 – Run internal and external vulnerability scans.