First Things First: Using Risk to Drive Security Planning
March 7th, 2008
First Things First: Using Risk to Drive Security Planning
by Steve Brukbacher, CISSP
I attended a conference the other day addressing information security for information security staff and database admins, network guys and a variety of other IT related fields. The question that everyone seemed to have was how do we even start to get our arms around “security”? We know our IT guys “do stuff” and they seem to know what they are doing. There seem to be a million different things that have to be done to “be secure”. If we were “secure” how would we know it? Is this a state of being somewhat akin to Nirvana? Is it some kind of magical place where everything works and nothing bad ever happens? What about all these products that we see advertised especially at conferences? Hardware firewalls, IPS, IDS, internet security suites, identity management products…. Should we have a Noah’s ark of security “stuff”? Buy two of each and then we can tell the boss that we are DEFINITELY secure (yes, people try this). Or maybe there’s one thing we can do that would be the magic bullet the vendor claims it is that would take us to this security nirvana…. Or better yet, maybe we should just assume that the computer guys know what they are doing and go for coffee. In general, security seems like a way-too-big sandwich and no one can agree how to cut it up so its edible.
The wrinkle in all this is that whenever people like dba’s go to security conferences, there’s always that one presenter that gets their attention. This is the guy who describes how easy it is for the average 12 year old to use Metasploit or how fun SQL injection is. Maybe they even do a live demo on an IIS box they have back at the shop. This scares the hell out of everyone and they go to the next session wondering what do we do first, second, third and so on?
I happened to be in that session so naturally, I chimed in and started talking about risk. This is not always a familiar topic to other IT staff or for those who manage them. The unavoidable truth is that without a decent risk assessment, we are left to flounder in the darkness with the only light being our own paranoia, vendor promises or false assumptions about what our most dangerous risks are. A proper risk assessment gives us the tangible ordered list of things that need to be addressed to truly improve our security posture: what have we got, where is it, what could happen to it, how much should we care and what are we going to do about each risk (if anything). This carves up the sandwich to reasonable bites AND tells you which parts should be eaten first.
This sounds deceptively simple. It takes discipline to stop shopping for solutions before you’ve identified what the problems are that really need to be solved but without this you will waste money and likely miss your most dangerous threats.
So is there security nirvana? Of course not. What security practitioners need to teach is that risk is a sliding scale, not an on/off switch. We help management become aware of their risk levels and they choose how much risk they are willing to tolerate. There is no “ideal plane” of security: just better and worse and lots of space in the middle.
If you can teach risk based thinking to people outside of the security or audit departments, you’ll be way ahead. This is a skill which I think anyone in a position of responsibility should be armed with.
del.icio.us 
digg itSecurity process vs. security instruments
November 29th, 2007
This is a great example how security process can be confused with security instruments. It is also an example of security theater – security for security’s sake. Even if it was in place at the time of the incidents, encryption would not prevent them. This was obviously a human error. Firewalls, antivirus, IDS, IPS, encryption, and whatnot are just security instruments or tools. True, equally important and necessary, but they do not work without security processes in place.
“A June 23, 2006, memo … authored by the Office of E-Government and Information Technology, directed agencies to encrypt all agency data kept on mobile devices within 45 days. ”
Millions, if not billions, spent on encryption technologies will not mitigate the risk of such security risks. But such expenses are much sexier and much easier to justify, then for example user education, policy implementation, etc. This is what makes people feel better and (falsely) more secure.
On the other side of the law, the bad guys do not care about sexy technologies. They will keep looking for and keep attacking the weakest links. When was the last time you heard about a security breach where the bad guys broke encryption itself?