Threat agents maintain the initiative and we respond to restore balance. The bad guys innovate, find exposures, and use technology which they can leverage to achieve their objectives. They take the first step, set the tempo, and lead this wicked dance. The security industry normally operates in a responsive manner, closing the door behind successful attacks to prevent further loss and scrambling to prepare for the next issue. But every once in a while, the security community comes up with a predictive and proactive idea which has sweeping effects against attackers and their future likely methods, and we show true leadership in innovation.
These golden nuggets can change the initiative and give an advantage to the defenders. Sadly, it is rare. In most instances it is difficult to justify expenditures for capabilities which may or may not interdict future potential attacks. Our industry cannot confidently measure and substantiate such innovation to determine which will leapfrog us ahead of the bad guys and those which fail miserably. Without clear value, those holding the purse strings are not very motivated to blindly invest. It reverts back to the age old security problem of measuring attacks which are avoided.
How will we ever change our industry to support security taking back the initiative? First we must devise a good way of measuring innovation. We have much better metrics for how good the bad guys succeed, and are blind on how to measure the value of security ideas. This must change in order to facilitate the financial support necessary for investment. The value is there, we must adjust our focus to see the opportunity. Otherwise, the enemy will maintain the advantage as we continue to follow behind the attackers, cleaning up messes, and forever responding to their ingenuity.
Passwords of reasonable strength (8 characters or more consisting of upper/lower case and special keys) coupled with timely expiration, are secure. Passphrases with comparable measures are equally secure. The systems and users are currently the weakest links in the security chain.
The interfaces and tools which we input the passwords may be vulnerable. This includes but is not limited to key-loggers, sniffers, input redirections, etc. But it is the user, where the most significant weakness exists. They can be duped into divulging their passwords (phone, web, chat, email, etc.) and in many cases make them available in other ways (sticky note under the keyboard).
A recent Newsweek article covered the topic of building a better password:
"...a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. (Two hundred nineteen years is actually very good, but the lesson remains: simpler can be stronger.) The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity-mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"-somehow became the sole determinant of password strength."
The difference between passwords which can be cracked in two-hundred versus a billion years is immaterial if users are forced to change passwords every few months. The bad guys just don’t have the time to crack the password before it is changed or the data is sufficiently aged to not be of value.
To undermine cracking attempts, we force users to use 'strong' passwords so that dictionary attacks are fruitless and threat agents must resort to a laborious brute force attack, trying massive numbers of combinations in order to be successful. All passwords can be cracked via brute force, but it takes time. It becomes an exercise in how many attempts can be made over a given period. The faster the process the more combinations can be tried and therefore the shorter the time to discover the one which works. The length and possible characters determines the number of combinations.
Undermining the strength of a password is not the biggest concern. It is far more likely for a password to be sniffed on the network, captured on a system, or duped from a user, rather than be cracked.
The most significant vulnerability is with the user and systems where passwords are entered and stored. There is no practical benefit to further abuse users with new diabolical password schemes. We should pay less attention to stronger and better password formats and instead invest in better behavioral controls, user education, and the strengthening of system and interfaces.
Information technology has lagged behind society’s skyrocketing need to manage and secure data.Information is growing exponentially and our demands for control and oversight continue to develop rapidly.Efforts to create or improve current paradigms are fractured and have failed to reach the tipping point of the maturity cycle necessary to catch up.We have failed. It is time we shed our entrenched archaic ways and leap forward to revolutionize how data is protected and managed.The confluence of changes in our culture’s expectations of data, demand we succeed.A revolution in data security is coming; we can either lead or be trampled by it.
The problem
The world is demanding more control, security, oversight, and awareness of where our data is and how it is being used.This includes information generated and processed at work, as well as our own personal information including financial, health, and privacy data.As a society, we are just starting down the road to explore data loss prevention issues, privacy expectations, digital rights management, and electronic discovery requirements.Additionally, we are just beginning to understand the vast, hidden, and expanding world of data breaches, identity theft, user profiling, and online victimization.Intellectual property controls are more important than ever to businesses in the information age and the social networking phenomenon is opening our eyes to the need for better security and management of individual’s data and the systems which control it.
Yet the current behaviors, tools, and infrastructure is vastly insufficient for what we need today and the gap is increasing, leading to a critical failure point in every way for what will be needed a decade from now.As fast as technology evolves, it simply cannot keep pace given the confines of current structures.We will be left with a snarl of vague and unrealistic regulations, unsatisfied community demands, incompatible point solutions, tools which can’t scale, and an entire generation of information victims.A radical change is needed!
The storm is brewing
A confluence of conditions is manifesting to create a perfect storm for radical change.Consider the following social and technical changes which will change people’s opinion:
·Data exposures are becoming public, showing the terrible depth of the problem
·The number of data victims, for identity theft and online crimes, is increasing as are the losses
·Data, system, and privacy regulations are emerging across the world with complex variations, creating severe challenges for global compliance, interpretation, and compatibility
·Social media users are realizing the honeymoon is ending, their data is exposed, and being used in ways they never intended
·Malware is reaching epic proportions.The trend is shifting to target capturing victim’s data
·Individual opportunists, organized criminals, and nation states are actively working to control systems, data, and networks
·Surveillance, profiling, and filtering controls are becoming mainstream to target or seek control of user data
·The sheer number of people and businesses on the internet is reaching a critical mass to determine how the world communicates, and the engine driving an exponential growth in the amount of data being generated
This problem may be complex in the details, but it is simple in principle.Basically, we manage data poorly.If I create a document today and email it to a co-worker, I essentially surrender almost all control.In a week’s time, I will have virtually no idea who has seen it, how many copies exist, how long it will stay buried on storage devices, or what modifications have been made to it.I have no control to update the copies, control access, or revoke the files.Chances are good that after a year I will likely lose it myself or forget the content of the document.It is terribly inefficient and represents poor overall management of data.
This situation presents as both a technical and behavioral problem.The personal computer revolution has bestowed the tools to easily create and store data.The pervasiveness of the internet established the unprecedented ability to share and disseminate information.The natural limitations of the pencil and paper generation supported modest but adequate physical management solutions.The creation, distribution, and control were tangible and restricted to local resources.Our newfound ability to generate and distribute information has not been coupled with equitable management solutions.Caught in the euphoria of new freedoms, we ignored the capabilities to control and secure.The shortcomings of technology have been tolerated due to an apathetic and disjointed demand from society.We have failed as consumers to recognize the importance of our data and the deficiencies in the realization of how it should easily be managed.
It’s the 21st century; do you know where your data is?
Today, data is easily created, lost, transferred, edited, stolen, abused and destroyed with very few mechanisms to prevent, detect, or respond.
Consider the following:
·We don’t track who creates files and who owns them
·Rarely do we consider if files should be secured or how
·We don’t take steps to determine who should access, view, or edit files and where they can be stored
·Destroying data after it is no longer useful, is a foreign concept, as is who should be responsible and when
·We don’t understand who, at any given time, has possession of our data and how to effectively recall it
·We have little insight to data content.We rely on short and sometimes cryptic filenames to give clues, but we don’t comprehend contents in a meaningful way
·Sharing data is mostly ad-hoc for specific files or locations, with little thought of content or other security factors which should be considered
In summary, we are poor custodians of data.In fact, people keep better track of the clothes in their closet than the information assets they create every day.I would wager you know where your clothes are, which are clean and which are soiled, and you have designated places for both.You regularly maintain your wardrobe by cleaning, pressing, matching, folding and storing clothes in an organized manner.Items are added, minor repairs made, and eventually clothes are purged when they no longer fit, are outdated, or simply not needed.You plan and may budget when new clothes are required.Depending on your age and habits, you may even have your name on them for ownership identification.You organize your closet for easy searching and you know which articles have been loaned out and to whom.For important items you would likely detect if they went missing and probably have a good idea of likely suspects, as you know and control who has access.So why do we do such a good job at managing our clothes, yet such a miserable job at managing our data?
People have not yet put the mental pieces together, but they will.When they do, they will demand technology deliver a solution.Revolt will be at hand.
Current efforts
A number of current initiatives have been struggling to gain modest traction but will always lack the ability to deliver a complete solution.Digital Rights Management(DRM) is well known in the online music circles, focusing on file based locks.Data Loss Prevention(DLP) is a collection of practices and tools which can scan, classify, and block inappropriate transmission of data.
Structures like Role Based Access Controls(RBAC), Mandatory Access Controls(MAC), Discretionary Access Controls(DAC), and Lattice Based Access Controls(LBAC) have attempted for years to establish controls within homogeneous and small environments, but rarely work as intended in large mixed environments like modern networks.A variety of secure data repositories have emerged, which do a stellar job protecting a few critical items akin to a vault, but are largely inaccessible, inconvenient, and not scalable.
A quick summary of current solutions highlights why they are not scalable, will fail to provide a complete solution, and likely never be widely adopted.Each of these does have its place and function but overall they will not deliver what is needed; a comprehensive capability to manage data security.
1.Vault solutions:Secure some files in a locked system or repository and provide access via custom interface applications.Not scalable for vast amounts of data, poor accessibility, high level of permissions management needed, inconvenient to use, and the trend to use proprietary software will keep the price tag high
2.Scan and classify DLP systems:Can apply controls both on clients and networks but relies on rules which are complex and a nightmare to maintain.Ultimately this is why they eventually just get ignored.Sustaining accuracy is not practical in environments which change and grow rapidly
3.Scan and alert/intervene DLP systems:Similar to Scan and Classify DLP systems, with an added benefit of intervention. Blocking suspect traffic and communications is a double edged sword, which requires high overhead to insure it does not interfere with legitimate business.These suffer from the same drawbacks as their cousins.
4.Employee policies:Policies which rely on manual intervention are hit or miss.For simple straightforward decisions they can be quite effective.For complex data decisions, changing environments, and potentially vague situations they fail miserably.People simply don’t act consistently when faced with complex decisions
5.System policy (MAC, DAC, and LBAC) solutions:System based solutions which can work well while data stays on the system but fails when collaboration across systems and users is required.They simply lack the applicability, scalability, and compatibility across a network with various uses and complex situations of collaboration and security.
6.Group/role access policies (RBAC): The natural evolution of the MAC, DAC, and LBAC concepts, can work great for small groups and data in an environment which does not change often.As the numbers and data size grows, the administration increases and ultimately does not scale efficiently.
7.File lockdown systems (DRM): Locking down files with digital rights (DRM) can work in situations needing a simple access control.Allowing a file to be opened or not, for example.But it does not work well when a multitude of access options are needed and other controls are required.Compatibility also poses a problem when sharing such files across systems.
8.Secure critical files and data solutions:File encryption is the major player in this field.Target only the most critical data and files, and focus on protecting those.Not scalable with the increasing amount of data organizations are processing and the shift of data across a much broader user and system landscape.Works great for handfuls of people with a small number of files needing protection.Those days are gone.
9.System data protection solutions:As file encryption has too much overhead necessary to scale, just encrypt the entire system and network.Works great for lost laptops but does little when the user has logged in and everything is now easily accessible.Network encryption only protects against sniffing.A good evolution but not nirvana.It is a one trick horse for confidentiality.
10.Do little to nothing and hope for the best.Don’t laugh.You might be surprised with how many financial, health, educational, and governmental systems followed this model for most of the past decade.
The list goes on.This is not comprehensive, but does give a taste of some stovepipe solutions which are struggling to evolve even slightly and will never leap forward on their own to meet what will be demanded.
Overview of solution
How do we succeed?We combine some of these technologies, integrate into the base computing infrastructure, and ease in the necessary user behaviors into the fabric of how people create, use, share, and destroy data.It must combine an object oriented definition structure and network based management controls.
Four core aspects for identification, security, and management of files
Data objects must carry specific characteristics to enable the computing environment to effectively and efficiently manage security.Although discrete parameters may differ based upon data type and parent organization, these aspects represent the necessary structures which work together to enable automation and to define security practices.Additionally the characteristics themselves must be secured and compartmentalized.
1.Confidentiality Designation – Level of sensitivity and confidentiality for the data.This has implications on required controls for data at rest, in use, and in transit.Also can define requirements for where and who can access and store the data.Examples might be Top Secret, Secret, Business Confidential , Personal, and Public.Classifications have implications to the Access and Handling aspects.
2.Access Rights and Permissions – Who has ability to access, edit, store, copy, transfer, etc. the data objects.DRM and RBAC technologies and DLP principles are a good start.The object must securely contain the concepts of ownership and those trusted to use the data in different ways, including to open, edit, destroy, move, copy , and transmit.
3.Content Synopsis, Tags, and Keywords – Identifying content supports indexing and understanding relationships between files.It facilitates scanning and auditing against policy as well as automation for determining access, classification, and secure handling requirements.
4.Secure Handling – Secure handling parameters determine retention, backup, destruction, storage, usage and transport requirements.These can be set by a default policy and updated based upon other aspects.Data Lifecycle Management (DLM) provide a good foundation for some practices.
These four aspects cooperate and influence each other.If for example, file content changes to include secret information, the classification may automatically bump to a secret designation, the secure handling settings will force persistent encryption, and change the access rights to allow access by a smaller community.
Cookbook of requirements:
This is the wakeup call for firmware, operating system, application and security solution providers.To change how people manage data, from creation to deletion, will require the major players to work together with standards and Application Programming Interfaces (API’s).We are not just altering one piece or bolting on additional security, we must change the fundamentals of the very infrastructure we use to manipulate data.
Some inroads have begun.DLP and DRM systems have established expertise in some preventative, detective and responsive functions.Social media is leading the way in many respects with tagging, sharing, collaboration and most importantly tracking and metrics.On the most modern sites, an author can post a video and track how often it is watched, by whom, and if they are using it in other mash-ups.A great deal of data can be gathered and if analyzed correctly, transformed into usable intelligence.Social media is the looking glass for what is to come.
These requirements are critical for success:
·Must apply system wide, embedded seamlessly in hardware, Operating Systems, and applications.It must include all data which is created, viewed, modified, transported, or deleted by users
·Must span across users, client systems, and into the backend infrastructure
·It must be holistic in nature and applyfrom creation to deletion (birth to death) for data and files
·Must possess default security for creation, storage, transit, and when in use
·Support at a minimum, basis functions of DLP, DRM, meta-data, content tagging, RBAC, client agents, data tracking, and control repositories
·Maintain a centralized structure for metrics, audits, maintenance, discovery, and reporting
·Distributed and centralized hybrid system supporting comprehensive scanning, indexing and auditing
·Enable data tracking, verification, auditing, and ownership administration
·End-user involvement and empowerment, to directly access and manage control systems and distributed data
·System interoperability across separately controlled domains and networks
·Establish end-user ease of use, manageability, and scalability at all integration points:
oStraightforward setup with additional modular extensibilities
oDefault settings based upon role for confidentiality and handling
oUser interface validation of parameters, and extra owner options, when saving, editing, moving or transmitting files
oDefault access rights based upon groups, tags/keywords, and storage location (for example, inherited rights based upon storage location or of like files)
oEscalation and resolution options when actions are prohibited by the system
Vision of Success
We have the intellect to succeed.We can create a new paradigm which meets the needs of legal, privacy, security and most importantly the maturing expectations of everyday people.
Keys to strategic success:
·Make the capability embedded, easy to use, and secure by default.Minimize impact and overhead to the users
·Champion behavioral changes of users and administrators, show the value
·Drive client Operating Systems and Applications to conform and support standards
·Leverage security tools to extend services and controls
·Establish back-end infrastructure support via standards
·Foster competition to drive affordability, scalability, support and continuous improvement
Key capabilities for value and functionality
·Automated intelligent determination of initial core file aspects, with validation by users during file management requests (save, transmit, copy, etc.)
·Automated security controls applied and enforced based upon file aspects and derived control requirements
·Automated data cleanup, archival, and destruction based upon file aspects and settings
·Data owners can easily search and organize their files both local and across the network
·Data owners can easily take control to manage access, confidentiality settings, change file handling parameters, and revoke files across the network
·Administration can conduct broad electronic discovery searches for files and data content, generate operational metrics, and gain an understanding of where sensitive data is located and how it is being used
·Automated security alerting and logging to assist with detection of unacceptable actions, resolution to events, and predictive information to facilitate the establishment of future preventative controls
Example Use cases
New document creation
Capturing the meta-attributes at the point of creation is a critical step.As a mock-up, this email was created and a default set of icons appear in the toolbar, showing the status of the 4 aspects.These default settings align to Confidentiality Designation, Access Permissions, Content Synopsis, and Secure Handling settings configurable by the organization or user.They establish base parameters but change dynamically as content is added.
As text is added, the system determines the content to match criteria which changes the classification, associates to a current project, adds to the content tags, and modifies access permissions automatically.The icons change in appearance to show how the data will be treated.The user can intercede manually by clicking the icons, which will open the user interface showing more options and configurations.
Saving, moving, deleting or transmitting data
A modified window appears whenever users attempt to save, move, delete or transmit data.This confirms settings and if needed, solicits additional necessary data to complete the transaction.
End state vision
·From creation to destruction, data is automatically classified, secured, and under the control of the owner
·Additional capabilities extend to allow complex management, sharing, security, and tracking
·End users are empowered to easily organize and revoke their data, control access, and know where it resides
·Through leveraging technology, data files are treated like assets and security is efficiently managed across user domains
Conclusion:
Change is coming.The underlying community, regulatory, and behavioral factors are present and becoming more prevalent.The information technology and security industries must escape the façade and false hope of small improvements and truly revolutionize how data is secured and managed.This can only be accomplished with aligned industry partnership, a realization of necessity, commitment to user efficiency, common technical standards, and most importantly a shared strategy.It is possible.Now is the time to think, discuss, and plan.
Measures generate data and metrics organize data to generate information. The difference between ‘data’ and ‘information’, the former is something you know, the latter is something you use.
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for September, 2009:
Measures generate data and metrics organize data to generate information.
The difference between ‘data’ and ‘information’, the former is something you know,
the latter is something you use.
In security, it is easy to confuse the terms ‘measures’ and ‘metrics’. They are two distinct but related concepts. Measurement theory incorporates the scale of nominal, ordinal, interval, ratio, and absolute. These scales are used to measure something, with the output being data. Metrics however are about analysis and intelligent decision making. Metrics translate data into meaningful information which will support decision making. Data is something you know. Information is something you use to make decisions.
Thinking creatively, a South African IT company decided to use a low technology solution to complete a data transfer when their ISP network could not handle the job. Typically, quick out-of-the-box IT solutions are rarely secure. Smart technologists are good at finding solutions to meet their objectives, but when time is short, security tends to be ignored. Does the combination of frustrated people, short timelines and the need to transfer a lot of data equate to insecurity? Not always.
Being different sometimes has its security advantages. In this case data was transferred in a manner which was unpredictable to intercept, highly reliable, impossible to sniff, faster than the traditional available wired network, and maintained high security for integrity and confidentiality.
Employees need the ability to communicate securely. Deploying the right capabilities can empower employees to keep the organization’s information more secure. Matthew Rosenquist discusses a strategy to establish secure communication channels.
There is no Royal Road to understanding and achieving information security
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for July, 2009:
There is no Royal Road to understanding and achieving information security
Taking a line of thought from Euclid, there is no easy route to understand the ever changing complexities of information security.
We exist in an era where information security is both exciting and complex.
The rapid evolution of information technology, increasing number of targets, and the explosive development of creative tools attackers employ all contribute to a dynamic environment where a continual struggle between aggressors and defenders shifts the balance on a daily basis. Only through hard work can security professionals effectively pursue achieving an optimal level of security which manages the tradeoffs of cost against controlling impacts and effectiveness of attacks. Achieving information security is an exercise in hard work, diligence, consistency, and flexibility to adapt technology and behaviors in meeting the challenge.
Risk metrics are the heart and soul of information security indicators. An increasing proliferation of tools and assessments has emerged, attempting to quantify states of information security. Given the nature of what is trying to be measured, this is arguably one of the toughest challenges in the metrics space. The recent trend is for different bodies to develop and publish their own standards, which creates confusion regarding accuracy and applicability. Why all the turmoil, competing models, and misalignment? The sad story is (queue the somber violins) we just have not figured out how to measure information security risks very well.
I have seen and applied many different methods, audits, and evaluations with varying degrees of success and disappointment. I have come to the following three basic conclusions:
Current tools and methods lack maturity in this area, for both accuracy and comprehensiveness (and yes, I am guilty of contributing to the pool)
No silver bullet exists. A unified method, which provides a predictive overarching and detailed risk analysis, is unlikely. Different approaches have their applicability. Choose wisely
There is no replacement for a security professional’s brain. From the selection of the analysis method, the gathering of relevant data, to the interpretation of the results, requires a seasoned security professional. There is no substitute which can handle the ambiguity, chaos, and relational dependencies affecting the outcome
An example will help express some of the challenges. The OCTAVE methodology, created by Carnegie Mellon University some years ago has been battle tested veteran in this role. It is a qualitative to quantitative device which leverages the expertise of key people to give a numerical value of risk in their respective area. Because personal bias and fears, the need to allow flexible ways of answering questions, and the varying degrees of base knowledge between the experts, results can vary greatly without even factoring in the changes occurring in the threat landscape.
Let me be clear, I am a fan and a longtime supporter. However, it has its limitations. I have developed several assessments based upon the model in a large environment. As long as the limitations are accepted, it is applied where it leverages its strengths, and the process is rolled out properly, the results can be very valuable.
But don’t confuse value with precision. I have observed the accuracy to be +/- 40% in complex organizations. I believe this is largely due to multiple tiers of qualitative-to-quantitative analysis and the bias introduced at each level. Credible sources have expressed a better +/- 20% accuracy for smaller implementations. Although these numbers sound terrible, it is very good compared to other methods. I have great respect for the chaps at Carnegie Mellon University who created the methodology. Groups within our company have used a modified form of this approach, with advanced structures tailored to our computing ecosystem, for years with great success. The low accuracy rate is not a poor reflection on the CMU model, rather it is a stark insight on how immature we are in this field.
So this is a sad story, but one which is not over. A cadre of very bright people is working to tackle this problem. In the short term, I expect to see many more methods, theories, templates, and standards emerge for specific situations. In the end, I doubt if ever we will have a unified way to measure security risks, but I hold high hopes the best will be culled to a small number which can be applied to most situations and deliver reasonable metrics.
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for June, 2009:
Think strategic. Act competitive. Be secure.
Security is a sustaining commitment where long term planning provides a distinct advantage. Threats are derived from intelligent adversaries. Success requires maneuvering in a competitive manner to remain secure.
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
Common Sense I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for May:
Fear and anxiety will lead to poor risk analysis conclusions
Stay focused on the available facts, use a dose of reality to fill in the gaps, and trust reliable risk models to generate analytical conclusions.
Excerpt from the Traps of Measuring Security Blog: In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth. It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand. Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.
So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.
We naturally take comfort in being able to quantify the vagueness of challenges in our existence. This past week, I was again reminded the cup of information security is filled partially with the complexities of human perception and ambiguity of emotions weighing our mental models of judgment. These can be misleading.
This is not a revelation. I thrive in the trenches of security measures and metrics, and learned this lesson many seasons past. But it is so easy to fall back into the comfort of measuring, calculating, estimating, and even predicting risks with first impressions, and foregoing proper data collection and dispassionate analysis.
It is in our very nature to apply our big cognitive brains in an attempt to make sense of something which causes concern for our minds when we encounter situations we fail to grapple. We default to familiar structures of logic and experience to give some insight, even if it is invalid. If we cannot grasp a cloud, it makes us feel better to at least measure it.
I recently travelled to the beautiful city of Shanghai. In the sprawling city of 19 million, getting about requires the use of a local taxi. Drivers are aggressive by American standards. They creatively use all lanes, including those of oncoming traffic, to weave in and out between pedestrians, other vehicles, and bicycles, all at high speed. Roadway guides such as speed signs, stoplights, and lane markers are just cosmetic. The concept of ‘right of way’ is defined by the vehicle which gets there first. Tens of thousands of taxi drivers vie for pole positions at every light and traffic snarl. I counted no less than half a dozen head-on near misses the first day.
Not surprisingly I was a bit concerned for my safety. But what was the actual risk? It seemed high, with all the jockeying, speed challenges, and lurching in front of other cars at a moment’s notice. In formal terms, the security risk calculation was off the map. Keeping it simple, risk can be defined as equaling the (threat) x (consequence) x (vulnerability). Threats were abundant and vectoring from every angle. Vulnerabilities were painfully obvious as the situation was an example of near uncontrolled chaos heavily dependent upon human judgment and intervention. Lastly, the consequences registered as likely life threatening. Vehicle safety measures are not equal to US standards, with no airbags and rarely a functioning seatbelt. My brain began to do the rough math and formed a mental model where the conclusion was somewhere near the “I’m screwed” end of the spectrum.
Over time, I started to take a different perspective. By the end of the week, and too many close calls to count, I observed the city’s taxi’s did not show damage which would be consistent with rampant numbers of collisions. Although chaotic and unpredictable, they found a balance in avoiding impacts. My drivers’ never appeared nervous. Many were happy to take calls on their cell phones while racing into oncoming traffic and weaving back into our directional flow at the last second. Yet, they were not worried. The pedestrians who seemed intent on walking into direct paths of vehicles always looked up at the last possible moment and jumped out of the way of an untimely demise.
The dangers were still there. Nothing changed but my perception. The risks were high, controls were low, but it was the incident rate that was the telling measure. Lack of vehicle accidents in such a tremendous population meant they operated in an efficient manner which my brain could not comprehend as safe. But it was. My initial evaluation misled me to a wrong conclusion: an inaccurate determination of risk. I felt safer than before. To this day, I cannot comprehend how they do it.
In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth. It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand. Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
Common Sense I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for April:
Capability, intent, and focus are the defining aspects to quickly prioritize threats.
The world of information security threats is vast. We can easily be overwhelmed with different components, processes, impacts, and concerns. Quickly identifying the benign from the urgent is a competitive advantage. In order to organize and prioritize, we must have a consistent method to judge criteria.
I submit the three most compelling aspects are related to the attacker who is committing the violation. Their capability to do harm, defines the likelihood of a successful attack. The intent of the attacker has significant implications for the likelihood to detect activity and the persistence of continuing attempts. Lastly, the focus of the attack, whether it is targeting you specifically or just looking for opportunistic victims, completes the overlapping picture to understand the precision of activities.
Given these three aspects, a quick evaluation can be made to determine the severity of the threat and attacks. Of course this is just the first step necessary for triage, while a full evaluation should be conducted for the areas which rise to the top of the severity list.
Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
Common Sense I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for March:
The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.
For this month’s advice, you are a victim of eye-candy. I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.
The general message does hold true. Security strategy is the long term endeavor to protect an organization’s future. If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks. If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.
We don’t have to win every fight, lock every door, and close every exposure. Instead, we are in a position to selectively choose our victories to maximize our capabilities. Our victory is finding the right balance of risk and costs. Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.
In practical terms:
Have a plan and communicate it
Understand the business need for security
Prioritize security initiatives based upon their value
Develop an overall defense-in-depth capability, with interlocking services
Characterize the most severe threats and identify the most likely and impactful exposures
Know what you are protecting
Be cognizant of when you need more, have enough, or too much security
My moment of enlightenment is over. It is time to get back to the grind of the security firefights. But my strategy is never far from my mind. It defines the boundaries and guides my tactical decisions.
