Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Trust never sleeps.

Sometimes I get pushback from my users when I’m doing a risk assessment and want to examine the risk associated with a particular partner.  They frown and say, “They’re secure,” as if it were offensive that I should even ask.  Of course, an executive that says this has never performed an audit of this party’s networks, or asked to see the results of a pentest, or indeed made any effort to collect information to bolster this assessment.  He’s running purely on trust.

Lots of folks have explored the reasons why we choose to trust something in general; it’s part of our subconscious risk assessment engine.  So I won’t go too deeply into it, except as it affects me and my own responsibilities.

We tend to trust something that we have known for a long time.  An employee that has worked for us for 20 years; a vendor that has worked for us before; a barista we see every morning.  Because of our history of experiences with them in which nothing bad has happened, we rely on that prior knowledge to estimate a lower risk.

We also trust something that is well-known.  Big Three-Letter Vendor tends to get higher automatic trust than Bob’s PCI Shoppe. 

We trust something that we see everyone else trusting.  Fortune 100 companies can’t be wrong, right?

We trust something with which we feel an affiliation.  If those folks over there are Just Like Us, they must be okay. 

And finally, we trust something when we feel the anticipated benefits will outweigh the risk (that we haven’t examined all too closely, and won’t, because if we found something bad it would conflict with our need to get these great benefits).

All of these factors come into play when you’re trying to make a case for auditing a third party, or monitoring a user, or restricting access.  And it’s very hard to come out and confront this, because if you have a CEO who has friends over at this vendor shop, he’s not going to be too introspective about it.  People will look at you strangely when you ask for security testing of a product that people have been happily using for five years.  Especially if you’re the only one who has ever thought about security, you’re going to be battling a lot of human nature in the name of objectivity and verification.

Quoting Ronald Reagan helps sometimes.  That’s about all I can give you.

Posted by shrdlu on Monday, April 06, 2009
(5) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Once more into the breach report.

Previous entry: Does this ASS make my cert look big?

Comments

Brian Honan Ireland on 04/06  at  10:50 AM:

When I get this type of push back I often remind those grumbling to me that no matter in what area of your life, be that your significant other, your accountant, your work colleagues or your business vendor/partner, it is the ones you trust the most that can hurt you the most.

shrdlu United States on 04/06  at  10:55 AM:

And then you punch them in the nose? wink

Chris Hayes United States on 04/06  at  12:56 PM:

Business partner “trust” scenarios have always been some of the most challenging. Whether it is partners that are as regulatory driven as we are or “mom-and-pop” shops that could care less about security / privacy – there is a relationship between them and our company that has to be understood. In cases where there is push back from the relationship manager on our side, I try to get them to understand that we (including them) have to be able to stand in front of our “customers” and tell them how we are protecting their private and confidential information. It is amazing how many individuals immediately lower their objections to third party due diligence when they realize they are partially responsible to six million customers for ensuring the security and privacy of their information.

LonerVamp United States on 04/06  at  04:10 PM:

I think that transitive trust is very prevalent. “Well, they’re a Fortune 100 they must be secure!” Hell, I think often it is, “They’re a legal taxed entity/company so they’re secure!”

I also think there is the scenario where trust is just a lie told to avoid exposing ignorance or doing any work or possibly annoying the third-party. I guess that might be called “avoidance” in general, with subtopics under that. Ick.

Brian Honan Ireland on 04/06  at  04:26 PM:

@ shrdlu

Nah, I don’t need to punch them.  Normally, by the time I finish with them they do not trust themselves<g>

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: