4 Cybersecurity Lessons From Replacing My Roof

A couple summers ago I fully replaced the roof of my shed. Here are my reflections on cybersecurity from that experience.

1. Friends are great💚, but they’ll only get you so far

I had a hard time getting my project off the ground.

First, I needed to demo the existing roof. I tried it myself and found it to be a little arduous with no end in sight. It didn’t help that I didn’t have the right tools either.

After getting the right tools (crowbar!), my friend came over and we started going at it, taking off the old shingles and plywood.

The project accelerated and it was very fun indeed!

At the end of the day, we were exhausted, but we got a lot done.

I continued on myself. Little by little and very slowly, things got done. By now, I was both physically and mentally exhausted.

So I put out a call on Craigslist. Enter John the Handyman…an expert carpenter! Progress sped up! 🚀🚀🚀

He looked at the roof and, with just his eyeballs, calculated how many more sheets of plywood I needed! Together, we cut and slapped on the fascia and the eaves. He didn’t double my efficiency; he increased it exponentially!

Reflection

Yes, you can do security yourself. You might even have a friend that knows some security and can help out a bit. However, having an expert with experience in the field will move your project exponentially!

Also, demoing and breaking things is really fun!

2. Gaps are OK, As Long As You Have Compensating Controls 🎛️

Gaps in your roof can be concerning. To an untrained eye, that gap is a BIG problem.

Could water get in there? Shouldn’t it be tightly connected?

Alone in a vacuum🌌… IT IS a big problem!

However, with patience, wisdom, and experience, we understand that gaps can be covered with silicon, sheathing, felt, and, of course, shingles on top.

All of which provide layers of protection.

Sound familiar? Defense In Depth anyone?

The same can be said in Information Security.

Here are some examples:

  • Security Gap: You have shared service accounts in your environment (bad).

    • Compensating Control: Enable 2FA on the accounts to prevent proliferation until HashiCorp Vault is setup (not so bad).

  • Security Gap: You have a Windows XP machine in your environment. It’s the only OS that supports that weird device in your lab or that robot in your factory (Super bad? YES).

    • Compensating Control: Remove all network connectivity/devices/drivers from the machine (not so super bad, right?).

Reflection

Whether you’re a carpenter, CTO, or security practitioner, we have to work in a reality that is not perfect or ideal. There are almost always multiple solutions to a problem.

It’s up to us to find the one that works yet keep iterating.

Take a layered approach towards security. Defense in depth. There is no silver bullet.

3. Measure Twice, Cut Once! 📏

Yes folks… This. Is. So. True. 🪓

I saw 21.5″ but actually measured 20.5″! Blame fatigue, blurry lines, lack of coffee, whatever… if I had taken an extra second to double-check my measurements, I would have had a good piece of wood and not an addition to my already growing scrap pile. 🪵

When pushing your security changes to production, being super careful that you don’t bring down the website with that ill-planned security group or firewall rule is measuring twice. Checking that you don’t mistakenly open that S3 bucket to the world instead of just another AWS account is measuring twice.

You get the point.

Reflection

Although I had extra wood that day and I simply laughed off the mistake, the situation may not always be so laughable in Information Security.

Check, test, check again!

Although this wisdom can be applied to almost all parts of life, in Information Security, we are under extra scrutiny. We have pressure on our shoulders to ensure security environments are safe. We oftentimes have to measure three, four, five, or more times before cutting.

4. Take Baby Steps

In security, we often want to boil the ocean! 

Rebuilding a roof is a series of small steps. Each one significant and built upon the other.

First, the rafters, eaves, and fascia. 

Then, the plywood and flashing. 

Afterward, paper, and then finally, the shingles.

Each one building on the other. Each one insignificant alone, but fundamental together. 

Putting together an Information Security Program is the same way.

Generally:

  • Find your unknown unknowns.

  • Stop the bleeding.

  • Put together a plan.

  • Start healing and building.

  • Revisit plan often, execute, iterate.

Refection

Rome was not built in a day.

Slow and steady wins the race. 🐢

Little streams make big rivers.

You get the picture: take each step at the time. 🙂

Summary - Infosec Lessons From Rebuilding My Roof 

  • Get Someone Who’s Done It Before

  • Take a layered approach towards security. Defense in depth. There is no silver bullet

  • Test, verify, retest

  • Slow and steady wins the race

Happy Building!!

Ayman