Few things happened this week. First was that I took (and passed) the CISSP exam. 6 Months of studying, worrying, and panicking all through. The test itself was not exactly what I expected, as it seemed to focus on a couple of domains and barely touched on others. Still, that is something I am glad is over with.
The other big thing this week is a lesson for all of us in the field, that I think is more important, and one we overlook at times. Single point of failure. No, I know what you are thinking, Shecky, you just took the CISSP and passed, you learn about single point of failure as part of studying for that exam (and a good number of other IT/Infosec exams). We all know how expensive it can be for equipment to avoid it. We aren’t overlooking it. Yes we are, and in a major way.
How many of you have a person that is the go to guy? you know, the one where if they won the lottery and left, is so ingrained into everything with so much knowledge that it would cause problems. I’ve been dealing with a brain dump recently due to someone like that leaving. Documentation needs to be updated (or created). Knowledge needs to be transferred. It is something we can easily overlook as we are doing our day to day business. Now, I am no red team person, so I do not know how much it affects them, but every place I have worked, there has always been key people like this. It also becomes tough to get knowledge from them until they leave, as they feel the knowledge helps keep them employed and untouchable.
Here is the thing, this also gets covered in the CISSP exam, and is something basic called Separation of Duties. No one person should be holding that sort of keys to the kingdom. There has to be Job Rotation to help combat this. Documentation writing is great and all, but nothing beats hands on training in my opinion, and getting mentored in areas you do not know at your job is a great way of getting trained. Also it prevents that single point of failure, that one guy who is something happens too much vital knowledge is lost.
I know that there are a lot of people in the world of infosec that scoff at the CISSP, but just looking at this small topic that touches on it shows the need to revisit it. No it is not super technical overall, but it does delve into basics. Those basics are the building blocks of security, and that is something we forget about, sometimes until it is too late.